diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 32a1c7c58..e1b6718b9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -197,25 +197,111 @@ build:macOS:
     - pip3 install -U requests
     - python3 ./ci/gh_actions.py ${CI_COMMIT_REF_NAME} ${CI_COMMIT_SHA}
 
-docker:
+.docker: &docker
   <<: *nodep
-  stage: build
+  except: null
   image: docker:latest
+  variables:
+    DOCKER_HUB_REGISTRY: cznic/knot-resolver
+    GITLAB_REGISTRY: ${CI_REGISTRY}/knot/knot-resolver/cross-platform
+  tags:
+    - amd64
+    - dind
+
+docker:build:
+  <<: *docker
   <<: *multi_platform
-  only:
-    refs:
-      - branches@knot/knot-resolver
+  stage: build
+  except:
+    - tags
+  script:
+    - docker buildx build --no-cache -t knot-resolver:${PLATFORM} .
+  after_script:
+    - docker rmi --force knot-resolver:${PLATFORM}
+    - docker rmi $(docker images -f "dangling=true" -q)
   tags:
     - ${PLATFORM}
     - dind
-  variables:
-    DOCKER_IMAGE_NAME: knot-resolver-test:${CI_COMMIT_SHA}
+
+docker:build:cross-platform:
+  <<: *docker
+  stage: build
+  only:
+    - master@knot/knot-resolver
+    - tags
+  before_script:
+    - >
+      docker buildx create
+      --name kres-builder
+      --driver docker-container
+      --bootstrap --use
+    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
   script:
-    - docker build --no-cache -t ${DOCKER_IMAGE_NAME} .
-    # TODO: perhaps try if the running image answers queries
-  after_script:  # remove dangling images to avoid running out of disk space
-    - docker rmi ${DOCKER_IMAGE_NAME}
-    - docker rmi $(docker images -f "dangling=true" -q)
+    - >
+      docker buildx build
+      --no-cache
+      --platform linux/amd64,linux/arm64/v8,linux/arm/v7
+      --provenance=false
+      --pull
+      --push
+      --tag ${GITLAB_REGISTRY}:${CI_COMMIT_REF_NAME}
+      .
+
+docker:test:cross-platform:
+  <<: *docker
+  <<: *multi_platform
+  stage: test
+  only:
+    - tags
+    - master@knot/knot-resolver
+  needs:
+    - docker:build:cross-platform
+  image:
+    name: ${GITLAB_REGISTRY}:${CI_COMMIT_REF_NAME}
+    entrypoint: [""]
+  before_script:
+    - apt-get update
+    - apt-get -y install knot-dnsutils curl git
+    - /usr/bin/knot-resolver -c /etc/knot-resolver/config.yaml > knot-resolver.log &
+  script:
+    # check that the resolver responds to queries
+    - kdig nic.cz @localhost#53
+    - kdig +tcp nic.cz @localhost#53
+    - kdig +tls nic.cz @localhost#853
+    - kdig +https nic.cz @localhost#443
+    # run some packaging tests
+    - tests/packaging/kresctl.sh
+    - tests/packaging/interactive/etag.sh
+    - tests/packaging/interactive/schema.sh
+    - tests/packaging/interactive/reload.sh
+    - tests/packaging/interactive/metrics.sh
+    - tests/packaging/interactive/cache-clear.sh
+    - tests/packaging/interactive/workers.sh
+    - kresctl stop
+  artifacts:
+    when: always
+    paths:
+      - knot-resolver.log
+  tags:
+    - docker
+    - ${PLATFORM}
+
+dockerhub:deploy:
+  <<: *docker
+  stage: deploy
+  when: manual
+  only:
+    - tags
+  needs:
+    - docker:test:cross-platform
+  before_script:
+    - echo "$DOCKER_HUB_TOKEN" | docker login -u $DOCKER_HUB_USER --password-stdin
+  script:
+    - >
+      docker buildx imagetools create
+      -t ${DOCKER_HUB_REGISTRY}:${CI_COMMIT_REF_NAME}
+      -t ${DOCKER_HUB_REGISTRY}:6
+      ${GITLAB_REGISTRY}:${CI_COMMIT_REF_NAME}
 # }}}
 
 # sanity {{{
@@ -576,7 +662,7 @@ obs:trigger: &obs_trigger
     - source ./venv/bin/activate
     - pip install --upgrade pip
     - pip install apkg
-    - scripts/make-obs.sh
+    - scripts/ci/make-obs.sh
     - echo y | scripts/ci/build-in-obs.sh $OBS_REPO
 
 obs:release:
@@ -618,6 +704,8 @@ obs:odvr:
     - apkg info cache | grep archive/dev
     - apkg install --build-dep
     - apkg test --test-dep
+  after_script:
+    - journalctl -u knot-resolver.service
   artifacts:
     expire_in: 1 week
     paths:
@@ -668,6 +756,10 @@ pkg:debian-11:
   <<: *enable_repo_build
   image: $CI_REGISTRY/packaging/apkg/full/debian-11
 
+pkg:ubuntu-24.10:
+  <<: *pkg_test_deb
+  image: $CI_REGISTRY/packaging/apkg/full/ubuntu-24.10
+
 pkg:ubuntu-24.04:
   <<: *pkg_test_deb
   image: $CI_REGISTRY/packaging/apkg/full/ubuntu-24.04
@@ -682,28 +774,28 @@ pkg:ubuntu-20.04:
   <<: *enable_repo_build
   image: $CI_REGISTRY/packaging/apkg/full/ubuntu-20.04
 
-pkg:fedora-40:
+pkg:fedora-41:
   <<: *pkg_test
-  image: $CI_REGISTRY/packaging/apkg/full/fedora-40
+  image: $CI_REGISTRY/packaging/apkg/full/fedora-41
 
-pkg:fedora-39:
+pkg:fedora-40:
   <<: *pkg_test
-  image: $CI_REGISTRY/packaging/apkg/full/fedora-39
+  image: $CI_REGISTRY/packaging/apkg/full/fedora-40
 
 pkg:alma-9:
   <<: *pkg_test
   image: $CI_REGISTRY/packaging/apkg/full/alma-9
+  before_script:
+    # python-watchdog is not included in the official Alma 9 packages
+    # install it using PyPi just for testing
+    - pip3 install watchdog
 
 pkg:arch:
   <<: *pkg_test_user
-  image: $CI_REGISTRY/packaging/apkg/test/arch
-  tags:
-    - docker
-    - linux
-    - amd64
+  image: $CI_REGISTRY/packaging/apkg/full/arch
   before_script:
-    - pacman -Syy
-    - pip install apkg
+    # prometheus and watchdog are optional dependencies, but our `apkg test` needs them
+    - pacman -Syu --noconfirm python-prometheus_client python-watchdog
 
 # RHEL 8 derivatives would need more work due to *default* python being old
 #pkg:rocky-8:
diff --git a/AUTHORS b/AUTHORS
index 3f8f226e2..d511deec3 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -21,6 +21,7 @@ Daniel Salzman <daniel.salzman@nic.cz>
 daurnimator <quae@daurnimator.com>
 David Beitey <david@davidjb.com>
 Felix Yan <felixonmars@archlinux.org>
+Frantisek Tobias <frantisek.tobias@nic.cz>
 Grigorii Demidov <grigorii.demidov@nic.cz>
 Hasnat <hasnat.ullah@gmail.com>
 Héctor Molinero Fernández <hector@molinero.dev>
@@ -45,6 +46,7 @@ Lukáš Ježek <lukas.jezek@nic.cz>
 Lukáš Ondráček <lukas.ondracek@nic.cz>
 Manu Bretelle <chantr4@gmail.com>
 Marek Vavruša <mvavrusa@cloudflare.com>
+menakite <29005531+menakite@users.noreply.github.com>
 Michal Karm Babáček <karm@email.cz>
 Michal Lupečka <mlupecka@nic.cz>
 Ondřej Surý <ondrej.sury@nic.cz>
diff --git a/Dockerfile b/Dockerfile
index 613636e3d..cc5e5ad96 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,6 @@ FROM debian:12 AS build
 ENV OBS_REPO=knot-resolver-latest
 ENV DISTROTEST_REPO=Debian_12
 
-
 RUN apt-get update -qq && \
 	apt-get -qqq -y install \
 		apt-transport-https ca-certificates wget \
@@ -25,10 +24,19 @@ RUN cd /source && \
 	git submodule update --init --recursive && \
 	git config --global user.name "Docker Build" && \
 	git config --global user.email docker-build@knot-resolver && \
+	\
+	# Replace 'knot-resolver' user and group with 'root'
+	# in meson_options.tx and python/knot_resolver/constants.py.
+	# This is needed for the file/directory permissions validation
+	# and then for the proper functioning of the resolver.
+	sed s/knot-resolver/root/g -i meson_options.txt && \
+	sed 's/USER.*/USER = "root"/g' -i python/knot_resolver/constants.py && \
+	sed 's/GROUP.*/GROUP = "root"/g' -i python/knot_resolver/constants.py && \
+	git commit -a -m TMP && \
+	\
 	/root/.local/bin/apkg build-dep -y && \
 	/root/.local/bin/apkg build
 
-
 # Real container
 FROM debian:12-slim AS runtime
 
@@ -56,10 +64,9 @@ RUN apt-get install -y /pkg/*/*.deb && \
 	apt-get remove -y -qq curl gnupg2 && \
 	apt-get autoremove -y && \
 	apt-get clean && \
-	rm -rf /var/lib/apt/lists/* && \
-	mkdir /config
+	rm -rf /var/lib/apt/lists/*
 
-COPY etc/config/config.example.docker.yaml /config/config.yaml
+COPY etc/config/config.example.docker.yaml /etc/knot-resolver/config.yaml
 
 LABEL cz.knot-resolver.vendor="CZ.NIC"
 LABEL maintainer="knot-resolver-users@lists.nic.cz"
@@ -67,5 +74,10 @@ LABEL maintainer="knot-resolver-users@lists.nic.cz"
 # Export plain DNS, DoT, DoH and management interface
 EXPOSE 53/UDP 53/TCP 443/TCP 853/TCP 5000/TCP
 
+# Prepare shared config
+VOLUME /etc/knot-resolver
+# Prepare shared cache
+VOLUME /var/cache/knot-resolver
+
 ENTRYPOINT ["/usr/bin/knot-resolver"]
-CMD ["-c", "/config/config.yaml"]
+CMD ["-c", "/etc/knot-resolver/config.yaml"]
diff --git a/NEWS b/NEWS
index 8d19f9373..050612214 100644
--- a/NEWS
+++ b/NEWS
@@ -1,16 +1,23 @@
-Knot Resolver 6.0.9 (2024-mm-dd)
+Knot Resolver 6.0.10 (202y-mm-dd)
 ================================
 
-Incompatible changes
---------------------
-- -f/--forks is removed (#631, !1602)
+Improvements
+------------
+- avoid multiple log lines when IPv6 isn't available (!1633)
+- manager: fix startup on Linux without libsystemd (!1608)
+- auto-reload TLS certificate files (!1626)
+
+
+Knot Resolver 6.0.9 (2024-11-11)
+================================
 
 Improvements
 ------------
 
+- rate-limiting: add these options, mechanism, docs (!1624)
 - manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
 
-  The manager creates and sets the secret for all running 'kresd' workers.
+  The manager creates and sets the secret for all running ``kresd`` workers.
   The secret is created automatically if the user does not configure their own secret in the configuration.
   This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so.
 
@@ -20,6 +27,10 @@ Improvements
 - extended_errors: answer with EDE in more cases (!1585, !1588, !1590, !1592)
 - local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)
 - daemon: use connected UDP sockets by default (#326, !1618)
+- docker: multiplatform builds (#922, !1623)
+- docker: shared VOLUMEs are prepared for configuration and cache (!1625, !1627)
+  
+  Configuration path was changed to standard ``/etc/knot-resolver/config.yaml``.
 
 Bugfixes
 --------
@@ -29,6 +40,7 @@ Bugfixes
 
 Incompatible changes
 --------------------
+- -f/--forks is removed (#631, !1602)
 - gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
 - libuv < 1.27 support is dropped, released over 5 years ago (!1618)
 
@@ -40,8 +52,8 @@ Security
 --------
 - reduce buffering of transmitted data, especially TCP-based in userspace
   Also expose some of the new tweaks in lua:
-   (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
-   (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
+  - (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
+  - (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
 
 Packaging
 ---------
@@ -69,12 +81,11 @@ Improvements
 ------------
 - TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
 - manager: export metrics to JSON via management HTTP API (!1527)
-  * JSON is the new default metrics output format
-  * the ``prometheus-client`` Python package is now an optional dependency,
-    required only for Prometheus export to work
+  - JSON is the new default metrics output format
+  - the ``prometheus-client`` Python package is now an optional dependency, required only for Prometheus export to work
 - cache: prefetching records
-  * predict module: prefetching expiring records moved to prefetch module
-  * prefetch module: new module to prefetch expiring records
+  - predict module: prefetching expiring records moved to prefetch module
+  - prefetch module: new module to prefetch expiring records
 - stats: add separate metrics for IPv6 and IPv4 (!1545)
 - add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
 - manager: policy-loader: new component for separate loading of policy rules (!1540)
diff --git a/daemon/main.c b/daemon/main.c
index 142cdbe5c..1600f59a2 100644
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -38,6 +38,8 @@
 #include <uv.h>
 #if ENABLE_LIBSYSTEMD
 #include <systemd/sd-daemon.h>
+#else
+static int notify_ready(const char *state);
 #endif
 #include <libknot/error.h>
 
@@ -193,6 +195,8 @@ static int run_worker(uv_loop_t *loop, struct args *args)
 	/* Notify supervisor. */
 #if ENABLE_LIBSYSTEMD
 	sd_notify(0, "READY=1");
+#else
+	notify_ready("READY=1");
 #endif
 	/* Run event loop */
 	uv_run(loop, UV_RUN_DEFAULT);
@@ -382,6 +386,47 @@ static int start_listening(flagged_fd_array_t *fds) {
 	return some_bad_ret;
 }
 
+#if !ENABLE_LIBSYSTEMD
+/* Notify supervisord about successful inicialization
+ * @note tested only on an abstract address in $NOTIFY_SOCKET*/
+static int notify_ready(const char *state)
+{
+	int sockfd;
+	struct sockaddr_un addr;
+	char *socket_path = getenv("NOTIFY_SOCKET");
+	if (!socket_path) {
+		kr_log_error(WORKER, "Failed retrieving env variable $NOTIFY_SOCKET\n");
+		return EXIT_FAILURE;
+	}
+	if ((sockfd = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
+		kr_log_error(WORKER, "Failed to create unix socket at $NOTIFY_SOCKET ('%s'): %s\n",
+				socket_path, strerror(errno));
+		return EXIT_FAILURE;
+	}
+
+	addr.sun_family = AF_UNIX;
+
+	int addrlen;
+	if (socket_path[0] == '@') {
+		addr.sun_path[0] = '\0';
+		strncpy(&addr.sun_path[1], socket_path + 1, sizeof(addr.sun_path) - 2);
+		addrlen = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path + 1) + 1;
+	} else {
+		strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
+		addrlen = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path) + 1;
+	}
+	if (sendto(sockfd, state, strlen(state), 0, &addr, addrlen) == -1) {
+		kr_log_error(WORKER, "Failed to send notify message to '%s': %s\n",
+			socket_path, strerror(errno));
+		close(sockfd);
+		return EXIT_FAILURE;
+	}
+
+	close(sockfd);
+	return kr_ok();
+}
+#endif /* if !ENABLE_LIBSYSTEMD */
+
 /* Drop POSIX 1003.1e capabilities. */
 static void drop_capabilities(void)
 {
diff --git a/daemon/worker.c b/daemon/worker.c
index 500eeb26a..55c916904 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -845,8 +845,10 @@ static int transmit(struct qr_task *task)
 		do {
 			ret = uv_udp_connect(udp, out_comm.comm_addr);
 		} while (ret == UV_EADDRINUSE && --connect_tries > 0);
-		if (ret < 0)
-			kr_log_error(IO, "Failed to establish udp connection: %s\n", uv_strerror(ret));
+		if (ret < 0) {
+			kr_log_info(IO, "Failed to establish udp connection to %s: %s\n",
+					kr_straddr(out_comm.comm_addr), uv_strerror(ret));
+		}
 	}
 	ret = qr_task_send(task, session, &out_comm, task->pktbuf);
 	if (ret) {
diff --git a/distro/pkg/arch/PKGBUILD b/distro/pkg/arch/PKGBUILD
index ebbd164d1..b01352c8e 100644
--- a/distro/pkg/arch/PKGBUILD
+++ b/distro/pkg/arch/PKGBUILD
@@ -46,6 +46,7 @@ optdepends=(
     'lua51-http: http and prefill modules, trust_anchors bootstrap'
     'lua51-psl: policy.slice_randomize_psl() function'
     'python-prometheus_client: stats and metrics in Prometheus format'
+    'python-watchdog: files monitoring and reload on changes'
 )
 backup=('etc/knot-resolver/config.yaml')
 options=(debug strip)
diff --git a/distro/pkg/deb/control b/distro/pkg/deb/control
index 5661e9739..907c9ffa9 100644
--- a/distro/pkg/deb/control
+++ b/distro/pkg/deb/control
@@ -56,6 +56,7 @@ Recommends:
  lua-http,
  lua-psl,
  python3-prometheus-client,
+ python3-watchdog,
 Suggests:
  knot-resolver6-module-http,
 Description: caching, DNSSEC-validating DNS resolver - core binaries
diff --git a/distro/pkg/rpm/knot-resolver.spec b/distro/pkg/rpm/knot-resolver.spec
index ca8602ffd..91c1a148b 100644
--- a/distro/pkg/rpm/knot-resolver.spec
+++ b/distro/pkg/rpm/knot-resolver.spec
@@ -65,6 +65,7 @@ Requires:       python3-pyyaml
 Requires:       python3-typing-extensions
 %endif
 Recommends:     python3-prometheus_client
+Recommends:     python3-watchdog
 
 # dnstap module dependencies
 # SUSE is missing protoc-c protobuf compiler
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
index b9397dc92..2532dc4fe 100644
--- a/doc/_static/config.schema.json
+++ b/doc/_static/config.schema.json
@@ -1,8 +1,8 @@
 {
     "$schema": "https://json-schema.org/draft/2020-12/schema",
-    "$id": "https://www.knot-resolver.cz/documentation/v6.0.8/_static/config.schema.json",
+    "$id": "https://www.knot-resolver.cz/documentation/v6.0.9/_static/config.schema.json",
     "title": "Knot Resolver configuration JSON schema",
-    "description": "Version Knot Resolver 6.0.8",
+    "description": "Version Knot Resolver 6.0.9",
     "type": "object",
     "properties": {
         "version": {
@@ -1677,27 +1677,33 @@
             "properties": {
                 "capacity": {
                     "type": "integer",
+                    "minimum": 1,
                     "description": "Expected maximal number of blocked networks/hosts at the same time.",
                     "default": 524288
                 },
                 "rate-limit": {
                     "type": "integer",
+                    "minimum": 1,
                     "description": "Maximal number of allowed queries per second from a single host."
                 },
                 "instant-limit": {
                     "type": "integer",
+                    "minimum": 1,
                     "description": "Maximal number of allowed queries at a single point in time from a single host.",
                     "default": 50
                 },
                 "slip": {
                     "type": "integer",
+                    "minimum": 0,
+                    "maximum": 32,
                     "description": "Number of restricted responses out of which one is sent as truncated, the others are dropped.",
                     "default": 2
                 },
                 "log-period": {
-                    "type": "integer",
-                    "description": "Minimal time in msec between two log messages, or zero to disable.",
-                    "default": 0
+                    "type": "string",
+                    "pattern": "^(\\d+)(us|ms|s|m|h|d)$",
+                    "description": "Minimal time between two log messages, or '0s' to disable.",
+                    "default": "0s"
                 },
                 "dry-run": {
                     "type": "boolean",
diff --git a/doc/dev/build.rst b/doc/dev/build.rst
index f65122146..d3d87dce9 100644
--- a/doc/dev/build.rst
+++ b/doc/dev/build.rst
@@ -306,6 +306,7 @@ All dependencies are also listed in `pyproject.toml <https://gitlab.nic.cz/knot/
    "aiohttp_", "HTTP Client/Server for Python."
    "typing-extensions_", "Compatibility module for Python"
    "prometheus-client_", "Prometheus client for Python (optional)"
+   "watchdog_", "Python API for watching file system events (optional)"
 
 
 You can install the Manager using the generated ``setup.py``.
@@ -367,3 +368,4 @@ For development, it's possible to build the container directly from your git tre
 .. _aiohttp: https://docs.aiohttp.org/
 .. _prometheus-client: https://github.com/prometheus/client_python
 .. _typing-extensions: https://pypi.org/project/typing-extensions/
+.. _watchdog: https://github.com/gorakhargosh/watchdog
diff --git a/doc/dev/debugging-with-kresctl.rst b/doc/dev/debugging-with-kresctl.rst
new file mode 100644
index 000000000..53fcddd11
--- /dev/null
+++ b/doc/dev/debugging-with-kresctl.rst
@@ -0,0 +1,109 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _debugging-with-kresctl:
+
+**********************
+Debugging with kresctl
+**********************
+
+Knot Resolver is made up of several independent components,
+so it can be difficult to debug the individual parts.
+To help with this, there is an option in the kresctl utility
+that can run GDB-compatible debugger on a specific component of the resolver, see the ``debug`` command.
+
+.. program:: kresctl
+
+.. option:: pids
+
+    Lists the PIDs of the Manager's subprocesses, separated by newlines.
+
+    .. option:: --json
+
+        Makes the output more verbose, in JSON. In addition to the subprocesses'
+        PIDs, it also prints their types and statuses.
+
+    .. option:: [proc_type]
+
+        :default: all
+
+        Optional. The type of process to query. See :ref:`Subprocess types
+        <debugging-with-kresctl-subprocess-types>` for more info.
+
+
+.. option:: debug
+
+    Executes a GDB-compatible debugger and attaches it to the Manager's
+    subprocesses. By default, the debugger is ``gdb`` and the subprocesses are
+    only the ``kresd`` workers.
+
+    .. warning::
+
+        The ``debug`` command is a utility for Knot Resolver developers and is
+        not intended to be used by end-users. Running this command **will** make
+        your resolver unresponsive.
+
+    .. note::
+
+        Modern kernels will prevent debuggers from tracing processes that are
+        not their descendants, which is exactly the scenario that happens with
+        ``kresctl debug``. There are three ways to work around this, listed in
+        the order in which they are preferred in terms of security:
+
+          1. Grant the debugger the ``cap_sys_ptrace`` capability
+             (**recommended**)
+
+              * For ``gdb``, this may be achieved by using the ``setcap``
+                command like so:
+
+                .. code-block:: bash
+
+                    sudo setcap cap_sys_ptrace=eip /usr/bin/gdb
+
+          2. Run the debugger as root
+
+              * You may use the ``--sudo`` option to achieve this
+
+          3. Set ``/proc/sys/kernel/yama/ptrace_scope`` to ``0``
+
+              * This will allow **all** programs in your current session to
+                trace each other. Handle with care!
+
+    .. note::
+
+        This command will only work if executed on the same machine where Knot
+        Resolver is running. Remote debugging is currently not supported.
+
+    .. option:: [proc_type]
+
+        :default: kresd
+
+        Optional. The type of process to debug. See :ref:`Subprocess types
+        <debugging-with-kresctl-subprocess-types>` for more info.
+
+    .. option:: --sudo
+
+        Run the debugger with sudo.
+
+    .. option:: --gdb <command>
+
+        Use a custom GDB executable. This may be a command on ``PATH``, or an
+        absolute path to an executable.
+
+    .. option:: --print-only
+
+        Prints the GDB command line into ``stderr`` as a Python array, does not
+        execute GDB.
+
+
+.. _debugging-with-kresctl-subprocess-types:
+
+Subprocess types
+----------------
+
+Some of ``kresctl``'s commands (like :option:`pids` and :option:`debug`) take a subprocess
+type value determining which subprocesses will be affected by them. The possible
+values are as follows:
+
+* ``kresd`` -- the worker daemons
+* ``gc`` -- the cache garbage collector
+* ``all`` -- all of the Manager's subprocesses
diff --git a/doc/dev/index.rst b/doc/dev/index.rst
index a13e3d616..f0d557630 100644
--- a/doc/dev/index.rst
+++ b/doc/dev/index.rst
@@ -30,6 +30,13 @@ Welcome to Knot Resolver's documentation for developers and advanced users!
    manager-dev-code
    layered-protocols
 
+.. toctree::
+   :caption: Debugging
+   :name: debugging-chapter
+   :maxdepth: 1
+
+   debugging-with-kresctl
+
 .. toctree::
    :caption: Lua configuration
    :name: configuration-lua-chapter
diff --git a/doc/kresctl.8.in b/doc/kresctl.8.in
index 538356afc..d8770ca07 100644
--- a/doc/kresctl.8.in
+++ b/doc/kresctl.8.in
@@ -32,7 +32,7 @@ The available options are:
 .B \-s\fI <api_socket>\fR, \fB\-\-socket \fI<api_socket>
 
 Specify how to connect to a running Knot Resolver. Accepts path to Unix-domain
-socket  or \fIhost:port\fR. Defaults to \fI/var/run/knot-resolver/manager.sock\fR
+socket  or \fIhost:port\fR. Defaults to \fI/var/run/knot-resolver/kres-api.sock\fR
 
 Some commands do not require communication with the running resolver. In such
 cases, the value of this option is ignored and the command may succeed even
diff --git a/doc/user/config-network-server-tls.rst b/doc/user/config-network-server-tls.rst
index 420de59ca..8fc848786 100644
--- a/doc/user/config-network-server-tls.rst
+++ b/doc/user/config-network-server-tls.rst
@@ -130,9 +130,12 @@ policies.
 
    .. tip::
 
-      The certificate files aren't automatically reloaded on change.
-      If you update the certificate files, e.g. using ACME, you have to either
-      reload or restart the service(s).
+      If you have ``python-watchdog`` installed on your system,
+      the certificate files are automatically reloaded on change.
+      If you update the certificate files, e.g. using ACME,
+      the manager is notified about changes and commands all workers
+      to reload their certificate files. If you don't have ``python-watchdog``,
+      you have to restart the ``knot-resolver`` service manually.
 
    .. option:: sticket-secret: <str>
 
diff --git a/doc/user/config-overview.rst b/doc/user/config-overview.rst
index 15cb9f629..b42ee0a39 100644
--- a/doc/user/config-overview.rst
+++ b/doc/user/config-overview.rst
@@ -54,7 +54,7 @@ Getting the JSON Schema
 
 * The JSON schema can be `downloaded here <_static/config.schema.json>`_ (valid only for the version of the resolver this documentation was generated for).
 * The :ref:`kresctl schema <manager-client>` command outputs the JSON schema of the currently installed version as well. It does not require a running resolver.
-* The JSON schema can also be obtained from a running resolver by sending a HTTP GET request to the path ``/schema`` on the :ref:`management API <manager-api>` (by default a Unix socket at ``/var/run/knot-resolver/manager.sock``).
+* The JSON schema can also be obtained from a running resolver by sending a HTTP GET request to the path ``/schema`` on the :ref:`management API <manager-api>` (by default a Unix socket at ``/run/knot-resolver/kres-api.sock``).
 
 .. tip::
 
diff --git a/doc/user/config-performance.rst b/doc/user/config-performance.rst
index dbd8d12d2..b09b4a92b 100644
--- a/doc/user/config-performance.rst
+++ b/doc/user/config-performance.rst
@@ -32,3 +32,4 @@ impact than cache settings and number of instances.
    config-rfc7706
    config-priming
    config-edns-keepalive
+   config-rate-limiting
diff --git a/doc/user/config-rate-limiting.rst b/doc/user/config-rate-limiting.rst
new file mode 100644
index 000000000..35342bf9e
--- /dev/null
+++ b/doc/user/config-rate-limiting.rst
@@ -0,0 +1,147 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _config-rate-limiting:
+
+Rate limiting
+=============
+
+Rate limiting is a method to combat DNS reflection amplification
+attacks. These attacks rely on the fact that the source address of a UDP query
+can be forged, and without a worldwide deployment of `BCP38
+<https://tools.ietf.org/html/bcp38>`_, such a forgery cannot be prevented.
+An attacker can use a DNS server (or multiple servers) as an amplification
+source to flood a victim with a large number of unsolicited DNS responses.
+Rate limiting lowers the amplification factor of these attacks by sending some
+responses as truncated or by dropping them altogether.
+
+See the `operator's overview blogpost <https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-operators-overview/>`_
+for more in depth introduction to this section,
+but beware that the *soft limit* was dropped in favor of the *slip* mechanism
+that's common in other DNS servers.
+
+
+.. option:: rate-limiting/rate-limit: <int>
+
+    Maximal allowed number of UDP queries per second from a single IPv6 or IPv4 address.
+    To be set according to the server performance.
+    Setting the value enables rate limiting as the rest of the configuration is optional.
+
+    Rate limiting is performed for the whole address and several chosen prefixes.
+    The limits of prefixes are constant multiples of :option:`rate-limit <rate-limiting/rate-limit: <int>`.
+    The specific prefixes and multipliers, which might be adjusted in the future, are as follows:
+
+    .. table::
+
+       +------+------+------+------+------+------+
+       | IPv6 | /128 |  /64 |  /56 |  /48 |  /32 |
+       +======+======+======+======+======+======+
+       |      |    1 |    2 |    3 |    4 |   64 |
+       +------+------+------+------+------+------+
+
+    .. table::
+
+       +------+------+------+------+------+
+       | IPv4 |  /32 |  /24 |  /20 |  /18 |
+       +======+======+======+======+======+
+       |      |    1 |   32 |  256 |  768 |
+       +------+------+------+------+------+
+
+    With each host/network, a counter of unrestricted responses is associated;
+    if the counter would exceed its capacity, it is not incremented and the response is restricted.
+    Counters use exponential decay for lowering their values,
+    i.e. they are lowered by a constant fraction of their value each millisecond.
+    The specified rate limit is reached, when the number of queries is the same every millisecond;
+    sending many queries once a second or even a larger timespan leads to a more strict limiting.
+
+
+.. option:: rate-limiting/instant-limit: <int>
+
+    :default: 50
+
+    Maximal allowed number of queries at a single point in time from a single IPv6 or IPv4 address.
+    To be set according to the expected normal behaviour of clients; likely not needed to be alterered.
+    The limits for prefixes use the same multipliers as for :option:`rate-limit <rate-limiting/rate-limit: <int>`.
+
+    This limit is relevant for bursts of queries,
+    e.g. when a recently inactive host/network suddenly starts sending many queries.
+
+    The :option:`instant-limit <rate-limiting/instant-limit: <int>`
+    sets the actual capacity of each counter of responses,
+    and together with the :option:`rate-limit <rate-limiting/rate-limit: <int>`
+    they set the fraction by which the counter is periodically lowered.
+    The :option:`instant-limit <rate-limiting/instant-limit: <int>` may be at least
+    :option:`rate-limit <rate-limiting/rate-limit: <int>` **/ 1000**, at which point the
+    counters are zeroed each millisecond.
+
+
+.. option:: rate-limiting/slip: <int>
+
+    :default: 2
+
+    Number of restricted responses out of which one is sent as truncated, the others are dropped.
+
+    As attacks using DNS/UDP are usually based on a forged source address,
+    an attacker could deny services to the victim's netblock if all
+    responses would be completely blocked. The idea behind SLIP mechanism
+    is to send each N\ :sup:`th` response as truncated, thus allowing client to
+    reconnect via TCP for at least some degree of service. It is worth
+    noting, that some responses can't be truncated (e.g. SERVFAIL).
+
+    - Setting the value to **0** will cause all rate-limited responses to
+      be dropped. The outbound bandwidth and packet rate will be strictly capped
+      by the :option:`rate-limit <rate-limiting/rate-limit: <int>` option.
+      All legitimate requestors affected
+      by the limit will face denial of service and will observe excessive timeouts.
+      Therefore this setting is not recommended.
+
+    - Setting the value to **1** will cause all rate-limited responses to
+      be sent as truncated. The amplification factor of the attack will be reduced,
+      but the outbound data bandwidth won't be lower than the incoming bandwidth.
+      Also the outbound packet rate will be the same as without rate limiting.
+
+    - Setting the value to **2** will cause approximately half of the rate-limited responses
+      to be dropped, and the other half will be sent as truncated. With this
+      configuration, both outbound bandwidth and packet rate will be lower than the
+      inbound. On the other hand, the dropped responses enlarge the time window
+      for possible cache poisoning attack on the resolver.
+
+    - Setting the value to anything **larger than 2** will keep on decreasing
+      the outgoing rate-limited bandwidth, packet rate, and chances to notify
+      legitimate requestors to reconnect using TCP. These attributes are inversely
+      proportional to the configured value. Setting the value high is not advisable.
+
+
+.. option:: rate-limiting/capacity: <int>
+
+    :default: 524288
+
+    Maximal number of stored hosts/networks with their counters.
+    The data structure tries to store only the most frequent sources,
+    so it is safe to set it according to the expected maximal number of limited ones.
+
+    Use **1.4 *** ``maximum-qps`` **/** :option:`rate-limit <rate-limiting/rate-limit: <int>`,
+    where ``maximum-qps`` is the number of queries which can be handled by the server per second.
+    There is at most ``maximum-qps`` **/** :option:`rate-limit <rate-limiting/rate-limit: <int>` limited hosts;
+    larger networks have higher limits, so they require only a fraction of the value (handled by the **1.4** multiplier).
+    The value will be rounded up to the nearest power of two.
+
+    The memory occupied by one table structure is **8 *** :option:`capacity <rate-limiting/capacity: <int>` Bytes.
+
+
+.. option:: rate-limiting/log-period: <time ms|s|m|h|d>
+
+    :default: 0s
+
+    Minimal time between two log messages, or ``0s`` to disable logging.
+
+    If a response is limited, the address and the prefix on which it was blocked is logged
+    and logging is disabled for the :option:`log-period <rate-limiting/log-period: <time ms|s|m|h|d>`.
+    As long as limiting is needed, one source is logged each period
+    and sources with more blocked queries have greater probability to be chosen.
+
+
+.. option:: rate-limiting/dry-run: true|false
+
+    :default: false
+
+    Perform only classification and logging but no restrictions.
diff --git a/doc/user/deployment-docker.rst b/doc/user/deployment-docker.rst
index 462ab061d..42f5503b3 100644
--- a/doc/user/deployment-docker.rst
+++ b/doc/user/deployment-docker.rst
@@ -2,20 +2,67 @@
 Docker
 ******
 
-
 .. note::
 
-    Before version 6, our Docker images were not meant to be used in production. This is no longer the case and with the introduction of ``kres-manager``, Knot Resolver runs in containers without any issues.
+    Before version 6, our Docker images were not intended for production use due to the lack of ``systemd`` in Docker and
+    the inability to manage the multiple independent parts of the resolver.
+    This is no longer the case since the introduction of the Manager that automatically control other parts of the resolver.
+
+Knot Resolver official Docker image can be found at `Docker Hub <https://hub.docker.com/r/cznic/knot-resolver>`_.
+First you can try running the container in interactive mode.
+
+.. code-block:: bash
+
+    $ docker run --rm -ti --network host docker.io/cznic/knot-resolver:6
 
-An official Docker image can be found on `Docker Hub <https://hub.docker.com/r/cznic/knot-resolver>`_. The image contains Knot Resolver as if it was installed from our official distro packages.
+For more robust deployments you will also probably need to configure network, for that see `Docker networking <https://docs.docker.com/engine/network/>`_.
+
+Now you can try sending a query to the resolver using `kdig <https://www.knot-dns.cz/docs/latest/html/man_kdig.html>`_.
 
 .. code-block:: bash
 
-    docker run --rm -ti -P docker.io/cznic/knot-resolver
+    $ kdig example.com @127.0.0.1
+    $ kdig nic.cz @127.0.0.1#443 +https
 
-The configuration file is located at ``/etc/knot-resolver/config.yaml`` and the cache is at ``/var/cache/knot-resolver``. We recommend configuring a persistent cache across container restarts.
+The image contains full Knot Resolver installation, so there shouldn't be much difference between running it natively and running it in a container.
+The configuration file is located at ``/etc/knot-resolver/config.yaml`` and the cache is at ``/var/cache/knot-resolver``.
+Please do not change these and other paths (rundir) as you may break things inside the container.
 
 .. warning::
     
-    While the container image contains normal installation of Knot Resolver and there shouldn't be any differences between running it natively and in a container, we (the developers) do not have any experience using the Docker image in production. Especially, beware of running the DNS resolver with a software defined network (i.e. in Kubernetes). There will likely be some performance penalties for doing so. We haven't done any measurements comparing different types of installations so we don't know the performance differences. If you have done some measurements yourself, please reach out to us and we will share it here with everyone else.
-    
\ No newline at end of file
+    Beware of running the container with a software defined network (i.e. in Kubernetes).
+    This will likely to result in some performance losses.
+    We haven't done any measurements comparing different types of installations so we don't know the performance differences.
+    If you have done your own measurements yourself, please contact us and we will share it with everyone else.
+
+------
+Config
+------
+
+We recommend persistent configuration across container restarts,
+for more see `Docker persisting container data <https://docs.docker.com/get-started/docker-concepts/running-containers/persisting-container-data/>`_.
+
+.. code-block:: bash
+
+    $ docker volume create config
+    $ docker run --rm -ti --network host -v config:/etc/knot-resolver docker.io/cznic/knot-resolver:6
+
+After a configuration change there is no need to restart the entire container, just tell the resolver to reload the configuration.
+Get ``CONTAINER_ID`` using the ``docker ps`` command or give your container name with the ``--name`` argument at container startup.
+
+.. code-block:: bash
+
+    $ docker exec -it CONTANER_ID kresctl reload
+
+-----
+Cache
+-----
+
+You can also use persistent volume for the cache, but sharing it between more containers requires special option ``--pid=host``.
+This is caused by the LMDB's reliance on unique PID numbers, see `issue #637 <https://gitlab.nic.cz/knot/knot-resolver/-/issues/637>`_ for more information.
+It is also good to mount the cache on ``tmpfs`` (semi-persistent), otherwise it will not work well under heavy load.
+
+.. code-block:: bash
+
+    $ docker volume create --opt type=tmpfs --opt device=tmpfs cache
+    $ docker run --rm -ti --pid=host --network host -v cache:/var/cache/knot-resolver docker.io/cznic/knot-resolver:6
diff --git a/doc/user/manager-api.rst b/doc/user/manager-api.rst
index 21efb350b..db7754e6f 100644
--- a/doc/user/manager-api.rst
+++ b/doc/user/manager-api.rst
@@ -11,7 +11,7 @@ Management HTTP API
 ===================
 
 You can use HTTP API to dynamically change configuration of already running Knot Resolver.
-By default the API is configured as UNIX domain socket located in the resolver's rundir ``/var/run/knot-resolver/manager.sock``.
+By default the API is configured as UNIX domain socket located in the resolver's rundir ``/run/knot-resolver/kres-api.sock``.
 This socket is used by ``kresctl`` utility in default.
 
 The API setting can be changed only in ``/etc/knot-resolver/config.yaml`` configuration file:
diff --git a/doc/user/manager-client.rst b/doc/user/manager-client.rst
index 61ff2fff0..abeab2c93 100644
--- a/doc/user/manager-client.rst
+++ b/doc/user/manager-client.rst
@@ -34,7 +34,7 @@ where to look for the API.
 
 If the :ref:`management <manager-api>` key is not present in the configuration
 file, ``kresctl`` attempts to connect to the
-``/var/run/knot-resolver/manager.sock`` Unix-domain socket, which is the
+``/run/knot-resolver/kres-api.sock`` Unix-domain socket, which is the
 Manager's default communication channel.
 
 By default, ``kresctl`` tries to find the correct communication channel in
diff --git a/etc/config/config.example.docker.yaml b/etc/config/config.example.docker.yaml
index 5c10d6662..85f935ad1 100644
--- a/etc/config/config.example.docker.yaml
+++ b/etc/config/config.example.docker.yaml
@@ -8,5 +8,12 @@ network:
       kind: dot
     - interface: lo@443
       kind: doh2
-management:
-  interface: 127.0.0.1@5000
+
+# By default, there is no need to expose the management API outside the container.
+# But if for some reason it is needed, use port 5000, which is intended for that.
+# You can access the API with 'kresctl' installed inside the container using 'docker exec'.
+# For example: $ docker exec -it CONTANER_ID kresctl reload
+# See more in documentation: https://www.knot-resolver.cz/documentation/latest/deployment-docker.html
+
+# management:
+#   interface: 127.0.0.1@5000
diff --git a/etc/config/config.yaml b/etc/config/config.yaml
index cf4da9291..771a931f0 100644
--- a/etc/config/config.yaml
+++ b/etc/config/config.yaml
@@ -8,4 +8,4 @@ network:
   listen:
     - interface: 127.0.0.1@53
 management:
-  unix-socket: /run/knot-resolver/manager.sock
+  unix-socket: /run/knot-resolver/kres-api.sock
diff --git a/meson.build b/meson.build
index 8d723374c..f992abcda 100644
--- a/meson.build
+++ b/meson.build
@@ -4,7 +4,7 @@ project(
   'knot-resolver',
   ['c', 'cpp'],
   license: 'GPLv3+',
-  version: '6.0.8',
+  version: '6.0.9',
   default_options: ['c_std=gnu11', 'b_ndebug=true'],
   meson_version: '>=0.49',
 )
diff --git a/poe b/poe
index d1f58894c..815428a37 100755
--- a/poe
+++ b/poe
@@ -1,4 +1,4 @@
 #!/bin/sh
 
 script_dir="$(dirname "$(readlink -f "$0")")"
-exec poetry --directory "$script_dir" run poe --root "$script_dir" "$@"
+exec poetry --directory "$script_dir" run -- poe --root "$script_dir" "$@"
diff --git a/pyproject.toml b/pyproject.toml
index 5e659319f..c2c639927 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "knot-resolver"
-version = "6.0.8"
+version = "6.0.9"
 description = "Knot Resolver Manager - a Python program that automatically manages the other components of the resolver"
 license = "GPL-3.0-or-later"
 authors = [
@@ -34,9 +34,11 @@ pyyaml = "*"
 supervisor = "*"
 typing-extensions = "*"
 prometheus-client = { version = "*", optional = true }
+watchdog = { version = "*", optional = true }
 
 [tool.poetry.extras]
 prometheus = ["prometheus-client"]
+watchdog = ["watchdog"]
 
 [tool.poetry.group.dev.dependencies]
 poetry = "^1.8.3"
diff --git a/python/knot_resolver/client/commands/debug.py b/python/knot_resolver/client/commands/debug.py
new file mode 100644
index 000000000..5d9a81df0
--- /dev/null
+++ b/python/knot_resolver/client/commands/debug.py
@@ -0,0 +1,144 @@
+import argparse
+import json
+import os
+import sys
+from pathlib import Path
+from typing import List, Optional, Tuple, Type
+
+from knot_resolver.client.command import Command, CommandArgs, CompWords, register_command
+from knot_resolver.utils import which
+from knot_resolver.utils.requests import request
+
+PROCS_TYPE = List
+
+
+@register_command
+class DebugCommand(Command):
+    def __init__(self, namespace: argparse.Namespace) -> None:
+        self.proc_type: Optional[str] = namespace.proc_type
+        self.sudo: bool = namespace.sudo
+        self.gdb: str = namespace.gdb
+        self.print_only: bool = namespace.print_only
+        self.gdb_args: List[str] = namespace.extra
+        super().__init__(namespace)
+
+    @staticmethod
+    def register_args_subparser(
+        subparser: "argparse._SubParsersAction[argparse.ArgumentParser]",
+    ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]:
+        debug = subparser.add_parser(
+            "debug",
+            help="Run GDB on the manager's subprocesses",
+        )
+        debug.add_argument(
+            "proc_type",
+            help="Optional, the type of process to debug. May be 'kresd' (default), 'gc', or 'all'.",
+            type=str,
+            nargs="?",
+            default="kresd",
+        )
+        debug.add_argument(
+            "--sudo",
+            dest="sudo",
+            help="Run GDB with sudo",
+            action="store_true",
+            default=False,
+        )
+        debug.add_argument(
+            "--gdb",
+            help="Custom GDB executable (may be a command on PATH, or an absolute path)",
+            type=str,
+            default=None,
+        )
+        debug.add_argument(
+            "--print-only",
+            help="Prints the GDB command line into stderr as a Python array, does not execute GDB",
+            action="store_true",
+            default=False,
+        )
+        return debug, DebugCommand
+
+    @staticmethod
+    def completion(args: List[str], parser: argparse.ArgumentParser) -> CompWords:
+        return {}
+
+    def run(self, args: CommandArgs) -> None:  # noqa: PLR0912, PLR0915
+        if self.gdb is None:
+            try:
+                gdb_cmd = str(which.which("gdb"))
+            except RuntimeError:
+                print("Could not find 'gdb' in $PATH. Is GDB installed?", file=sys.stderr)
+                sys.exit(1)
+        elif "/" not in self.gdb:
+            try:
+                gdb_cmd = str(which.which(self.gdb))
+            except RuntimeError:
+                print(f"Could not find '{self.gdb}' in $PATH.", file=sys.stderr)
+                sys.exit(1)
+        else:
+            gdb_cmd_path = Path(self.gdb).absolute()
+            if not gdb_cmd_path.exists():
+                print(f"Could not find '{self.gdb}'.", file=sys.stderr)
+                sys.exit(1)
+            gdb_cmd = str(gdb_cmd_path)
+
+        response = request(args.socket, "GET", f"processes/{self.proc_type}")
+        if response.status != 200:
+            print(response, file=sys.stderr)
+            sys.exit(1)
+
+        procs = json.loads(response.body)
+        if not isinstance(procs, PROCS_TYPE):
+            print(
+                f"Unexpected response type '{type(procs).__name__}' from manager. Expected '{PROCS_TYPE.__name__}'",
+                file=sys.stderr,
+            )
+            sys.exit(1)
+        if len(procs) == 0:
+            print(
+                f"There are no processes of type '{self.proc_type}' available to debug",
+                file=sys.stderr,
+            )
+
+        exec_args = []
+
+        # Put `sudo --` at the beginning of the command.
+        if self.sudo:
+            try:
+                sudo_cmd = str(which.which("sudo"))
+            except RuntimeError:
+                print("Could not find 'sudo' in $PATH. Is sudo installed?", file=sys.stderr)
+                sys.exit(1)
+            exec_args.extend([sudo_cmd, "--"])
+
+        # Attach GDB to processes - the processes are attached using the `add-inferior` and `attach` GDB
+        # commands. This way, we can debug multiple processes.
+        exec_args.extend([gdb_cmd, "--"])
+        exec_args.extend(["-init-eval-command", "set detach-on-fork off"])
+        exec_args.extend(["-init-eval-command", "set schedule-multiple on"])
+        exec_args.extend(["-init-eval-command", f'attach {procs[0]["pid"]}'])
+        inferior = 2
+        for proc in procs[1:]:
+            exec_args.extend(["-init-eval-command", "add-inferior"])
+            exec_args.extend(["-init-eval-command", f"inferior {inferior}"])
+            exec_args.extend(["-init-eval-command", f'attach {proc["pid"]}'])
+            inferior += 1
+
+        num_inferiors = inferior - 1
+        if num_inferiors > 1:
+            # Now we switch back to the first process and add additional provided GDB arguments.
+            exec_args.extend(["-init-eval-command", "inferior 1"])
+            exec_args.extend(
+                [
+                    "-init-eval-command",
+                    "echo \\n\\nYou are now debugging multiple Knot Resolver processes. To switch between "
+                    "them, use the 'inferior <n>' command, where <n> is an integer from 1 to "
+                    f"{num_inferiors}.\\n\\n",
+                ]
+            )
+        exec_args.extend(self.gdb_args)
+
+        if self.print_only:
+            print(f"{exec_args}")
+        else:
+            os.execl(*exec_args)
diff --git a/python/knot_resolver/client/commands/pids.py b/python/knot_resolver/client/commands/pids.py
new file mode 100644
index 000000000..a1ab5f8c8
--- /dev/null
+++ b/python/knot_resolver/client/commands/pids.py
@@ -0,0 +1,63 @@
+import argparse
+import json
+import sys
+from typing import Iterable, List, Optional, Tuple, Type
+
+from knot_resolver.client.command import Command, CommandArgs, CompWords, register_command
+from knot_resolver.utils.requests import request
+
+PROCESSES_TYPE = Iterable
+
+
+@register_command
+class PidsCommand(Command):
+    def __init__(self, namespace: argparse.Namespace) -> None:
+        self.proc_type: Optional[str] = namespace.proc_type
+        self.json: int = namespace.json
+
+        super().__init__(namespace)
+
+    @staticmethod
+    def register_args_subparser(
+        subparser: "argparse._SubParsersAction[argparse.ArgumentParser]",
+    ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]:
+        pids = subparser.add_parser("pids", help="List the PIDs of the Manager's subprocesses")
+        pids.add_argument(
+            "proc_type",
+            help="Optional, the type of process to query. May be 'kresd', 'gc', or 'all' (default).",
+            nargs="?",
+            default="all",
+        )
+        pids.add_argument(
+            "--json",
+            help="Optional, makes the output more verbose, in JSON.",
+            action="store_true",
+            default=False,
+        )
+        return pids, PidsCommand
+
+    @staticmethod
+    def completion(args: List[str], parser: argparse.ArgumentParser) -> CompWords:
+        return {}
+
+    def run(self, args: CommandArgs) -> None:
+        response = request(args.socket, "GET", f"processes/{self.proc_type}")
+
+        if response.status == 200:
+            processes = json.loads(response.body)
+            if isinstance(processes, PROCESSES_TYPE):
+                if self.json:
+                    print(json.dumps(processes, indent=2))
+                else:
+                    for p in processes:
+                        print(p["pid"])
+
+            else:
+                print(
+                    f"Unexpected response type '{type(processes).__name__}' from manager. Expected '{PROCESSES_TYPE.__name__}'",
+                    file=sys.stderr,
+                )
+                sys.exit(1)
+        else:
+            print(response, file=sys.stderr)
+            sys.exit(1)
diff --git a/python/knot_resolver/client/main.py b/python/knot_resolver/client/main.py
index 75cd6a77f..461b7fc42 100644
--- a/python/knot_resolver/client/main.py
+++ b/python/knot_resolver/client/main.py
@@ -1,6 +1,7 @@
 import argparse
 import importlib
 import os
+import sys
 
 from knot_resolver.constants import VERSION
 
@@ -68,7 +69,21 @@ def main() -> None:
     parser = create_main_argument_parser()
     install_commands_parsers(parser)
 
-    namespace = parser.parse_args()
+    # TODO: This is broken with unpatched versions of poethepoet, because they drop the `--` pseudo-argument.
+    # Patch submitted at <https://github.com/nat-n/poethepoet/pull/163>.
+    try:
+        pa_index = sys.argv.index("--", 1)
+        argv_to_parse = sys.argv[1:pa_index]
+        argv_extra = sys.argv[(pa_index + 1) :]
+    except ValueError:
+        argv_to_parse = sys.argv[1:]
+        argv_extra = []
+
+    namespace = parser.parse_args(argv_to_parse)
+    if hasattr(namespace, "extra"):
+        raise TypeError("'extra' is already an attribute - this is disallowed for commands")
+    namespace.extra = argv_extra
+
     client = KresClient(namespace, parser)
     client.execute()
 
diff --git a/python/knot_resolver/constants.py b/python/knot_resolver/constants.py
index 2acb86603..f37bb2af9 100644
--- a/python/knot_resolver/constants.py
+++ b/python/knot_resolver/constants.py
@@ -1,6 +1,6 @@
 from pathlib import Path
 
-VERSION = "6.0.8"
+VERSION = "6.0.9"
 USER = "knot-resolver"
 GROUP = "knot-resolver"
 
diff --git a/python/knot_resolver/controller/interface.py b/python/knot_resolver/controller/interface.py
index 0544dac23..49808d01a 100644
--- a/python/knot_resolver/controller/interface.py
+++ b/python/knot_resolver/controller/interface.py
@@ -14,7 +14,6 @@
 from knot_resolver.controller.registered_workers import register_worker, unregister_worker
 from knot_resolver.datamodel.config_schema import KresConfig
 from knot_resolver.manager.constants import kresd_config_file, policy_loader_config_file
-from knot_resolver.utils.async_utils import writefile
 
 logger = logging.getLogger(__name__)
 
@@ -110,20 +109,35 @@ def __init__(self, config: KresConfig, kresid: KresID) -> None:
         self._id = kresid
         self._config = config
         self._registered_worker: bool = False
+        self._pid: Optional[int] = None
+
+        self._config_file: Optional[Path] = None
+        if self.type is SubprocessType.KRESD:
+            self._config_file = kresd_config_file(self._config, self.id)
+        elif self.type is SubprocessType.POLICY_LOADER:
+            self._config_file = policy_loader_config_file(self._config)
+
+    def _render_lua(self) -> Optional[str]:
+        if self.type is SubprocessType.KRESD:
+            return self._config.render_lua()
+        if self.type is SubprocessType.POLICY_LOADER:
+            return self._config.render_lua_policy()
+        return None
+
+    def _write_config(self) -> None:
+        config_lua = self._render_lua()
+        if config_lua and self._config_file:
+            with open(self._config_file, "w", encoding="utf8") as file:
+                file.write(config_lua)
+
+    def _unlink_config(self) -> None:
+        if self._config_file:
+            self._config_file.unlink(missing_ok=True)
 
     async def start(self, new_config: Optional[KresConfig] = None) -> None:
         if new_config:
             self._config = new_config
-
-        config_file: Optional[Path] = None
-        if self.type is SubprocessType.KRESD:
-            config_lua = self._config.render_lua()
-            config_file = kresd_config_file(self._config, self.id)
-            await writefile(config_file, config_lua)
-        elif self.type is SubprocessType.POLICY_LOADER:
-            config_lua = self._config.render_lua_policy()
-            config_file = policy_loader_config_file(self._config)
-            await writefile(config_file, config_lua)
+        self._write_config()
 
         try:
             await self._start()
@@ -131,8 +145,7 @@ async def start(self, new_config: Optional[KresConfig] = None) -> None:
                 register_worker(self)
                 self._registered_worker = True
         except SubprocessControllerError as e:
-            if config_file:
-                config_file.unlink()
+            self._unlink_config()
             raise e
 
     async def apply_new_config(self, new_config: KresConfig) -> None:
@@ -140,16 +153,7 @@ async def apply_new_config(self, new_config: KresConfig) -> None:
 
         # update config file
         logger.debug(f"Writing config file for {self.id}")
-
-        config_file: Optional[Path] = None
-        if self.type is SubprocessType.KRESD:
-            config_lua = self._config.render_lua()
-            config_file = kresd_config_file(self._config, self.id)
-            await writefile(config_file, config_lua)
-        elif self.type is SubprocessType.POLICY_LOADER:
-            config_lua = self._config.render_lua_policy()
-            config_file = policy_loader_config_file(self._config)
-            await writefile(config_file, config_lua)
+        self._write_config()
 
         # update runtime status
         logger.debug(f"Restarting {self.id}")
@@ -166,13 +170,7 @@ async def cleanup(self) -> None:
         Remove temporary files and all traces of this instance running. It is NOT SAFE to call this while
         the kresd is running, because it will break automatic restarts (at the very least).
         """
-
-        if self.type is SubprocessType.KRESD:
-            config_file = kresd_config_file(self._config, self.id)
-            config_file.unlink()
-        elif self.type is SubprocessType.POLICY_LOADER:
-            config_file = policy_loader_config_file(self._config)
-            config_file.unlink()
+        self._unlink_config()
 
     def __eq__(self, o: object) -> bool:
         return isinstance(o, type(self)) and o.type == self.type and o.id == self.id
@@ -192,6 +190,10 @@ async def _stop(self) -> None:
     async def _restart(self) -> None:
         pass
 
+    @abstractmethod
+    async def get_pid(self) -> int:
+        pass
+
     @abstractmethod
     def status(self) -> SubprocessStatus:
         pass
diff --git a/python/knot_resolver/controller/supervisord/__init__.py b/python/knot_resolver/controller/supervisord/__init__.py
index 347ac1e71..ddb9b29b1 100644
--- a/python/knot_resolver/controller/supervisord/__init__.py
+++ b/python/knot_resolver/controller/supervisord/__init__.py
@@ -223,6 +223,14 @@ def _restart(self) -> None:
         fast = _create_fast_proxy(self._config)
         fast.startProcess(self.name)
 
+    @async_in_a_thread
+    def get_pid(self) -> int:
+        if self._pid is None:
+            supervisord = _create_supervisord_proxy(self._config)
+            info = supervisord.getProcessInfo(self.name)
+            self._pid = info["pid"]
+        return self._pid
+
     def get_used_config(self) -> KresConfig:
         return self._config
 
diff --git a/python/knot_resolver/datamodel/rate_limiting_schema.py b/python/knot_resolver/datamodel/rate_limiting_schema.py
index d93272da4..60994c206 100644
--- a/python/knot_resolver/datamodel/rate_limiting_schema.py
+++ b/python/knot_resolver/datamodel/rate_limiting_schema.py
@@ -1,3 +1,8 @@
+from knot_resolver.datamodel.types import (
+    Int0_32,
+    IntPositive,
+    TimeUnit,
+)
 from knot_resolver.utils.modeling import ConfigSchema
 
 
@@ -10,26 +15,20 @@ class RateLimitingSchema(ConfigSchema):
     rate_limit: Maximal number of allowed queries per second from a single host.
     instant_limit: Maximal number of allowed queries at a single point in time from a single host.
     slip: Number of restricted responses out of which one is sent as truncated, the others are dropped.
-    log_period: Minimal time in msec between two log messages, or zero to disable.
+    log_period: Minimal time between two log messages, or '0s' to disable.
     dry_run: Perform only classification and logging but no restrictions.
     """
 
-    capacity: int = 524288
-    rate_limit: int
-    instant_limit: int = 50
-    slip: int = 2
-    log_period: int = 0
+    capacity: IntPositive = IntPositive(524288)
+    rate_limit: IntPositive
+    instant_limit: IntPositive = IntPositive(50)
+    slip: Int0_32 = Int0_32(2)
+    log_period: TimeUnit = TimeUnit("0s")
     dry_run: bool = False
 
     def _validate(self) -> None:
-        max_instant_limit = int(2**32 / 768 - 1)
-        if not 1 <= self.instant_limit <= max_instant_limit:
+        max_instant_limit = int(2 ** 32 // 768 - 1)
+        if not int(self.instant_limit) <= max_instant_limit:
             raise ValueError(f"'instant-limit' has to be in range 1..{max_instant_limit}")
-        if not 1 <= self.rate_limit <= 1000 * self.instant_limit:
+        if not int(self.rate_limit) <= 1000 * int(self.instant_limit):
             raise ValueError("'rate-limit' has to be in range 1..(1000 * instant-limit)")
-        if not 0 < self.capacity:
-            raise ValueError("'capacity' has to be positive")
-        if not 0 <= self.slip <= 100:
-            raise ValueError("'slip' has to be in range 0..100")
-        if not 0 <= self.log_period:
-            raise ValueError("'log-period' has to be non-negative")
diff --git a/python/knot_resolver/datamodel/templates/rate_limiting.lua.j2 b/python/knot_resolver/datamodel/templates/rate_limiting.lua.j2
index 4f9547f54..63f921257 100644
--- a/python/knot_resolver/datamodel/templates/rate_limiting.lua.j2
+++ b/python/knot_resolver/datamodel/templates/rate_limiting.lua.j2
@@ -7,6 +7,6 @@ assert(C.ratelimiting_init(
 	{{ cfg.rate_limiting.instant_limit }},
 	{{ cfg.rate_limiting.rate_limit }},
 	{{ cfg.rate_limiting.slip }},
-	{{ cfg.rate_limiting.log_period }},
+	{{ cfg.rate_limiting.log_period.millis() }},
 	{{ boolean(cfg.rate_limiting.dry_run) }}) == 0)
 {%- endif %}
diff --git a/python/knot_resolver/datamodel/types/__init__.py b/python/knot_resolver/datamodel/types/__init__.py
index a3d7db3e6..d1334b5a2 100644
--- a/python/knot_resolver/datamodel/types/__init__.py
+++ b/python/knot_resolver/datamodel/types/__init__.py
@@ -6,6 +6,7 @@
     EscapedStr,
     EscapedStr32B,
     IDPattern,
+    Int0_32,
     Int0_512,
     Int0_65535,
     InterfaceName,
@@ -37,6 +38,7 @@
     "EscapedStr",
     "EscapedStr32B",
     "IDPattern",
+    "Int0_32",
     "Int0_512",
     "Int0_65535",
     "InterfaceName",
diff --git a/python/knot_resolver/datamodel/types/types.py b/python/knot_resolver/datamodel/types/types.py
index 6cd1e4cbd..3c9b9fe1c 100644
--- a/python/knot_resolver/datamodel/types/types.py
+++ b/python/knot_resolver/datamodel/types/types.py
@@ -14,6 +14,11 @@ class IntPositive(IntRangeBase):
     _min: int = 1
 
 
+class Int0_32(IntRangeBase):  # noqa: N801
+    _min: int = 0
+    _max: int = 32
+
+
 class Int0_512(IntRangeBase):  # noqa: N801
     _min: int = 0
     _max: int = 512
diff --git a/python/knot_resolver/manager/files/__init__.py b/python/knot_resolver/manager/files/__init__.py
new file mode 100644
index 000000000..49700656b
--- /dev/null
+++ b/python/knot_resolver/manager/files/__init__.py
@@ -0,0 +1,3 @@
+from .watchdog import init_files_watchdog
+
+__all__ = ["init_files_watchdog"]
diff --git a/python/knot_resolver/manager/files/watchdog.py b/python/knot_resolver/manager/files/watchdog.py
new file mode 100644
index 000000000..64547192e
--- /dev/null
+++ b/python/knot_resolver/manager/files/watchdog.py
@@ -0,0 +1,133 @@
+import importlib
+import logging
+from pathlib import Path
+from threading import Timer
+from typing import List, Optional
+
+from knot_resolver.controller.registered_workers import command_registered_workers
+from knot_resolver.datamodel import KresConfig
+from knot_resolver.datamodel.types import File
+from knot_resolver.manager.config_store import ConfigStore, only_on_real_changes_update
+from knot_resolver.utils import compat
+
+_watchdog = False
+if importlib.util.find_spec("watchdog"):
+    _watchdog = True
+
+logger = logging.getLogger(__name__)
+
+
+def tls_cert_paths(config: KresConfig) -> List[str]:
+    files: List[Optional[File]] = [
+        config.network.tls.cert_file,
+        config.network.tls.key_file,
+    ]
+    return [str(file) for file in files if file is not None]
+
+
+if _watchdog:
+    from watchdog.events import (
+        FileSystemEvent,
+        FileSystemEventHandler,
+    )
+    from watchdog.observers import Observer
+
+    _tls_cert_watchdog: Optional["TLSCertWatchDog"] = None
+
+    class TLSCertEventHandler(FileSystemEventHandler):
+        def __init__(self, files: List[Path], cmd: str) -> None:
+            self._files = files
+            self._cmd = cmd
+            self._timer: Optional[Timer] = None
+
+        def _reload(self) -> None:
+            def command() -> None:
+                if compat.asyncio.is_event_loop_running():
+                    compat.asyncio.create_task(command_registered_workers(self._cmd))
+                else:
+                    compat.asyncio.run(command_registered_workers(self._cmd))
+                logger.info("Reloading of TLS certificate files has finished")
+
+            # skipping if reload was already triggered
+            if self._timer and self._timer.is_alive():
+                logger.info("Skipping TLS certificate files reloading, reload command was already triggered")
+                return
+            # start a 5sec timer
+            logger.info("Delayed reload of TLS certificate files has started")
+            self._timer = Timer(5, command)
+            self._timer.start()
+
+        def on_created(self, event: FileSystemEvent) -> None:
+            src_path = Path(str(event.src_path))
+            if src_path in self._files:
+                logger.info(f"Watched file '{src_path}' has been created")
+                self._reload()
+
+        def on_deleted(self, event: FileSystemEvent) -> None:
+            src_path = Path(str(event.src_path))
+            if src_path in self._files:
+                logger.warning(f"Watched file '{src_path}' has been deleted")
+                if self._timer:
+                    self._timer.cancel()
+            for file in self._files:
+                if file.parent == src_path:
+                    logger.warning(f"Watched directory '{src_path}' has been deleted")
+                    if self._timer:
+                        self._timer.cancel()
+
+        def on_modified(self, event: FileSystemEvent) -> None:
+            src_path = Path(str(event.src_path))
+            if src_path in self._files:
+                logger.info(f"Watched file '{src_path}' has been modified")
+                self._reload()
+
+    class TLSCertWatchDog:
+        def __init__(self, cert_file: Path, key_file: Path) -> None:
+            self._observer = Observer()
+
+            cmd = f"net.tls('{cert_file}', '{key_file}')"
+
+            cert_files: List[Path] = []
+            cert_files.append(cert_file)
+            cert_files.append(key_file)
+
+            cert_dirs: List[Path] = []
+            cert_dirs.append(cert_file.parent)
+            if cert_file.parent != key_file.parent:
+                cert_dirs.append(key_file.parent)
+
+            event_handler = TLSCertEventHandler(cert_files, cmd)
+            for d in cert_dirs:
+                self._observer.schedule(
+                    event_handler,
+                    str(d),
+                    recursive=False,
+                )
+                logger.info(f"Directory '{d}' scheduled for watching")
+
+        def start(self) -> None:
+            self._observer.start()
+
+        def stop(self) -> None:
+            self._observer.stop()
+            self._observer.join()
+
+    @only_on_real_changes_update(tls_cert_paths)
+    async def _init_tls_cert_watchdog(config: KresConfig) -> None:
+        global _tls_cert_watchdog
+        if _tls_cert_watchdog:
+            _tls_cert_watchdog.stop()
+
+        if config.network.tls.cert_file and config.network.tls.key_file:
+            logger.info("Initializing TLS certificate files WatchDog")
+            _tls_cert_watchdog = TLSCertWatchDog(
+                config.network.tls.cert_file.to_path(),
+                config.network.tls.key_file.to_path(),
+            )
+            _tls_cert_watchdog.start()
+
+
+async def init_files_watchdog(config_store: ConfigStore) -> None:
+    if _watchdog:
+        # watchdog for TLS certificate files
+        await config_store.register_on_change_callback(_init_tls_cert_watchdog)
diff --git a/python/knot_resolver/manager/manager.py b/python/knot_resolver/manager/manager.py
index 6ce32fcc2..df57bd631 100644
--- a/python/knot_resolver/manager/manager.py
+++ b/python/knot_resolver/manager/manager.py
@@ -55,6 +55,14 @@ async def _deny_max_worker_changes(config_old: KresConfig, config_new: KresConfi
     return Result.ok(None)
 
 
+async def _subprocess_desc(subprocess: Subprocess) -> object:
+    return {
+        "type": subprocess.type.name,
+        "pid": await subprocess.get_pid(),
+        "status": subprocess.status().name,
+    }
+
+
 class KresManager:  # pylint: disable=too-many-instance-attributes
     """
     Core of the whole operation. Orchestrates individual instances under some
@@ -63,7 +71,7 @@ class KresManager:  # pylint: disable=too-many-instance-attributes
     Instantiate with `KresManager.create()`, not with the usual constructor!
     """
 
-    def __init__(self, shutdown_trigger: Callable[[int], None], _i_know_what_i_am_doing: bool = False):
+    def __init__(self, _i_know_what_i_am_doing: bool = False):
         if not _i_know_what_i_am_doing:
             logger.error(
                 "Trying to create an instance of KresManager using normal constructor. Please use "
@@ -80,19 +88,18 @@ def __init__(self, shutdown_trigger: Callable[[int], None], _i_know_what_i_am_do
         self._watchdog_task: Optional["asyncio.Task[None]"] = None
         self._fix_counter: _FixCounter = _FixCounter()
         self._config_store: ConfigStore
-        self._shutdown_trigger: Callable[[int], None] = shutdown_trigger
+        self._shutdown_triggers: List[Callable[[int], None]] = []
 
     @staticmethod
     async def create(
         subprocess_controller: SubprocessController,
         config_store: ConfigStore,
-        shutdown_trigger: Callable[[int], None],
     ) -> "KresManager":
         """
         Creates new instance of KresManager.
         """
 
-        inst = KresManager(shutdown_trigger, _i_know_what_i_am_doing=True)
+        inst = KresManager(_i_know_what_i_am_doing=True)
         await inst._async_init(subprocess_controller, config_store)  # noqa: SLF001
         return inst
 
@@ -211,6 +218,9 @@ async def _stop_gc(self) -> None:
         await self._gc.stop()
         self._gc = None
 
+    def add_shutdown_trigger(self, trigger: Callable[[int], None]) -> None:
+        self._shutdown_triggers.append(trigger)
+
     async def validate_config(self, _old: KresConfig, new: KresConfig) -> Result[NoneType, str]:
         async with self._manager_lock:
             if _old.rate_limiting != new.rate_limiting:
@@ -239,6 +249,10 @@ async def validate_config(self, _old: KresConfig, new: KresConfig) -> Result[Non
             logger.debug("Canary process test passed.")
             return Result.ok(None)
 
+    async def get_processes(self, proc_type: Optional[SubprocessType]) -> List[object]:
+        processes = await self._controller.get_all_running_instances()
+        return [await _subprocess_desc(pr) for pr in processes if proc_type is None or pr.type == proc_type]
+
     async def _reload_system_state(self) -> None:
         async with self._manager_lock:
             self._workers = []
@@ -344,7 +358,8 @@ async def forced_shutdown(self) -> None:
         logger.warning("Collecting all remaining workers...")
         await self._reload_system_state()
         logger.warning("Terminating...")
-        self._shutdown_trigger(1)
+        for trigger in self._shutdown_triggers:
+            trigger(1)
 
     async def _instability_handler(self) -> None:
         if self._fix_counter.is_too_high():
diff --git a/python/knot_resolver/manager/server.py b/python/knot_resolver/manager/server.py
index 90fd4d3b9..06fab0cfc 100644
--- a/python/knot_resolver/manager/server.py
+++ b/python/knot_resolver/manager/server.py
@@ -21,13 +21,14 @@
 from knot_resolver.constants import CONFIG_FILE, USER
 from knot_resolver.controller import get_best_controller_implementation
 from knot_resolver.controller.exceptions import SubprocessControllerExecError
+from knot_resolver.controller.interface import SubprocessType
 from knot_resolver.controller.registered_workers import command_single_registered_worker
 from knot_resolver.datamodel import kres_config_json_schema
 from knot_resolver.datamodel.cache_schema import CacheClearRPCSchema
 from knot_resolver.datamodel.config_schema import KresConfig, get_rundir_without_validation
 from knot_resolver.datamodel.globals import Context, set_global_validation_context
 from knot_resolver.datamodel.management_schema import ManagementSchema
-from knot_resolver.manager import metrics
+from knot_resolver.manager import files, metrics
 from knot_resolver.utils import custom_atexit as atexit
 from knot_resolver.utils import ignore_exceptions_optional
 from knot_resolver.utils.async_utils import readfile
@@ -60,8 +61,8 @@ async def error_handler(request: web.Request, handler: Any) -> web.Response:
 
     try:
         return await handler(request)
-    except DataValidationError as e:
-        return web.Response(text=f"validation of configuration failed:\n{e}", status=HTTPStatus.BAD_REQUEST)
+    except (AggregateDataValidationError, DataValidationError) as e:
+        return web.Response(text=str(e), status=HTTPStatus.BAD_REQUEST)
     except DataParsingError as e:
         return web.Response(text=f"request processing error:\n{e}", status=HTTPStatus.BAD_REQUEST)
     except KresManagerException as e:
@@ -87,7 +88,7 @@ class Server:
     # This is top-level class containing pretty much everything. Instead of global
     # variables, we use instance attributes. That's why there are so many and it's
     # ok.
-    def __init__(self, store: ConfigStore, config_path: Optional[Path]):
+    def __init__(self, store: ConfigStore, config_path: Optional[Path], manager: KresManager):
         # config store & server dynamic reconfiguration
         self.config_store = store
 
@@ -100,6 +101,7 @@ def __init__(self, store: ConfigStore, config_path: Optional[Path]):
         self._config_path: Optional[Path] = config_path
         self._exit_code: int = 0
         self._shutdown_event = asyncio.Event()
+        self._manager = manager
 
     async def _reconfigure(self, config: KresConfig) -> None:
         await self._reconfigure_listen_address(config)
@@ -262,16 +264,7 @@ async def _handler_metrics_prometheus(self, _request: web.Request) -> web.Respon
 
     async def _handler_cache_clear(self, request: web.Request) -> web.Response:
         data = parse_from_mime_type(await request.text(), request.content_type)
-
-        try:
-            config = CacheClearRPCSchema(data)
-        except (AggregateDataValidationError, DataValidationError) as e:
-            return web.Response(
-                body=e,
-                status=HTTPStatus.BAD_REQUEST,
-                content_type="text/plain",
-                charset="utf8",
-            )
+        config = CacheClearRPCSchema(data)
 
         _, result = await command_single_registered_worker(config.render_lua())
         return web.Response(
@@ -332,6 +325,30 @@ async def _handler_reload(self, _request: web.Request) -> web.Response:
         await self._reload_config()
         return web.Response(text="Reloading...")
 
+    async def _handler_processes(self, request: web.Request) -> web.Response:
+        """
+        Route handler for listing PIDs of subprocesses
+        """
+
+        proc_type: Optional[SubprocessType] = None
+
+        if "path" in request.match_info and len(request.match_info["path"]) > 0:
+            ptstr = request.match_info["path"]
+            if ptstr == "/kresd":
+                proc_type = SubprocessType.KRESD
+            elif ptstr == "/gc":
+                proc_type = SubprocessType.GC
+            elif ptstr == "/all":
+                proc_type = None
+            else:
+                return web.Response(text=f"Invalid process type '{ptstr}'", status=400)
+
+        return web.json_response(
+            await self._manager.get_processes(proc_type),
+            headers={"Access-Control-Allow-Origin": "*"},
+            dumps=partial(json.dumps, indent=4),
+        )
+
     def _setup_routes(self) -> None:
         self.app.add_routes(
             [
@@ -348,6 +365,7 @@ def _setup_routes(self) -> None:
                 web.get("/metrics/json", self._handler_metrics_json),
                 web.get("/metrics/prometheus", self._handler_metrics_prometheus),
                 web.post("/cache/clear", self._handler_cache_clear),
+                web.get("/processes{path:.*}", self._handler_processes),
             ]
         )
 
@@ -419,7 +437,7 @@ async def _init_config_store(config: Dict[str, Any]) -> ConfigStore:
     return ConfigStore(config_validated)
 
 
-async def _init_manager(config_store: ConfigStore, server: Server) -> KresManager:
+async def _init_manager(config_store: ConfigStore) -> KresManager:
     """
     Called asynchronously when the application initializes.
     """
@@ -429,7 +447,7 @@ async def _init_manager(config_store: ConfigStore, server: Server) -> KresManage
 
     # Create KresManager. This will perform autodetection of available service managers and
     # select the most appropriate to use (or use the one configured directly)
-    manager = await KresManager.create(controller, config_store, server.trigger_shutdown)
+    manager = await KresManager.create(controller, config_store)
 
     logger.info("Initial configuration applied. Process manager initialized...")
     return manager
@@ -566,11 +584,16 @@ async def start_server(config: Path = CONFIG_FILE) -> int:  # noqa: PLR0915
         # started, therefore before initializing manager
         await metrics.init_prometheus(config_store)
 
+        await files.init_files_watchdog(config_store)
+
+        # After we have loaded the configuration, we can start worrying about subprocess management.
+        manager = await _init_manager(config_store)
+
         # prepare instance of the server (no side effects)
-        server = Server(config_store, config)
+        server = Server(config_store, config, manager)
 
-        # After we have loaded the configuration, we can start worring about subprocess management.
-        manager = await _init_manager(config_store, server)
+        # add Server's shutdown trigger to the manager
+        manager.add_shutdown_trigger(server.trigger_shutdown)
 
     except SubprocessControllerExecError as e:
         # if we caught this exception, some component wants to perform a reexec during startup. Most likely, it would
diff --git a/scripts/Makefile.docker b/scripts/Makefile.docker
new file mode 100644
index 000000000..71908e058
--- /dev/null
+++ b/scripts/Makefile.docker
@@ -0,0 +1,48 @@
+# Based on https://netfuture.ch/2020/05/multi-arch-docker-image-easy/
+#
+# Example: make -f Makefile.docker docker-multiarch
+
+REGISTRY	= cznic
+BASETAG		= ${REGISTRY}/knot-resolver
+PLATFORMS	= linux/amd64,linux/arm/v7,linux/arm64/v8
+
+RELEASE		= $(shell git describe --abbrev=0 --exact-match)
+RELTAG		= $(shell [ -n "${RELEASE}" ] && echo "-t ${BASETAG}:${RELEASE}" || echo "")
+
+BUILDXDETECT	= ${HOME}/.docker/cli-plugins/docker-buildx
+QEMUDETECT	= /proc/sys/fs/binfmt_misc/qemu-m68k
+
+# https://stackoverflow.com/a/324782
+ROOT_DIR:=$(dir $(realpath $(lastword $(MAKEFILE_LIST))))/..
+
+docker-multiarch: qemu buildx docker-multiarch-builder
+	docker login
+	docker buildx build --no-cache --builder docker-multiarch --pull --push \
+	                    --platform ${PLATFORMS} ${RELTAG} ${ROOT_DIR}
+
+qemu: ${QEMUDETECT}
+${QEMUDETECT}:
+	docker pull multiarch/qemu-user-static
+	docker run --privileged multiarch/qemu-user-static --reset -p yes
+	docker ps -a | sed -n 's, *multiarch/qemu-user-static.*,,p' \
+	  | (xargs docker rm 2>&1 || \
+	    echo "Cannot remove docker container on ZFS; retry after next reboot") \
+	  | grep -v 'dataset is busy'
+
+buildx: ${BUILDXDETECT}
+${BUILDXDETECT}:
+	@echo
+# Output of `uname -m` is too different
+	@echo '*** `docker buildx` missing. Install binary for this machine architecture'
+	@echo '*** from `https://github.com/docker/buildx/releases/latest`'
+	@echo '*** to `~/.docker/cli-plugins/docker-buildx` and `chmod +x` it.'
+	@echo
+	@exit 1
+
+docker-multiarch-builder: qemu buildx
+	if ! docker buildx ls | grep -w docker-multiarch > /dev/null; then \
+		docker buildx create --name docker-multiarch && \
+		docker buildx inspect --builder docker-multiarch --bootstrap; \
+	fi
+
+.PHONY: qemu buildx docker-multiarch docker-multiarch-builder
\ No newline at end of file
diff --git a/setup.py b/setup.py
index 4234d8b0d..1e11e0c63 100644
--- a/setup.py
+++ b/setup.py
@@ -15,6 +15,7 @@
  'knot_resolver.datamodel.templates',
  'knot_resolver.datamodel.types',
  'knot_resolver.manager',
+ 'knot_resolver.manager.files',
  'knot_resolver.manager.metrics',
  'knot_resolver.utils',
  'knot_resolver.utils.compat',
@@ -27,7 +28,7 @@
 ['aiohttp', 'jinja2', 'pyyaml', 'supervisor', 'typing-extensions']
 
 extras_require = \
-{'prometheus': ['prometheus-client']}
+{'prometheus': ['prometheus-client'], 'watchdog': ['watchdog']}
 
 entry_points = \
 {'console_scripts': ['knot-resolver = knot_resolver.manager.main:main',
@@ -35,7 +36,7 @@
 
 setup_kwargs = {
     'name': 'knot-resolver',
-    'version': '6.0.8',
+    'version': '6.0.9',
     'description': 'Knot Resolver Manager - a Python program that automatically manages the other components of the resolver',
     'long_description': "# Knot Resolver\n\n[![Build Status](https://gitlab.nic.cz/knot/knot-resolver/badges/nightly/pipeline.svg?x)](https://gitlab.nic.cz/knot/knot-resolver/commits/nightly)\n[![Coverage Status](https://gitlab.nic.cz/knot/knot-resolver/badges/nightly/coverage.svg?x)](https://www.knot-resolver.cz/documentation/latest)\n[![Packaging status](https://repology.org/badge/tiny-repos/knot-resolver.svg)](https://repology.org/project/knot-resolver/versions)\n\nKnot Resolver is a full caching DNS resolver implementation. The core architecture is tiny and efficient, written in C and [LuaJIT][luajit], providing a foundation and a state-machine-like API for extension modules. There are three built-in modules - *iterator*, *validator* and *cache* - which provide the main functionality of the resolver. A few other modules are automatically loaded by default to extend the resolver's functionality.\n\nSince Knot Resolver version 6, it also includes a so-called [manager][manager]. It is a new component written in [Python][python] that hides the complexity of older versions and makes it more user friendly. For example, new features include declarative configuration in YAML format and HTTP API for dynamic changes in the resolver and more.\n\nKnot Resolver uses a [different scaling strategy][scaling] than the rest of the DNS resolvers - no threading, shared-nothing architecture (except MVCC cache which can be shared), which allows you to pin workers to available CPU cores and grow by self-replication. You can start and stop additional workers based on the contention without downtime, which is automated by the [manager][manager] by default.\n\nThe LuaJIT modules, support for DNS privacy and DNSSEC, and persistent cache with low memory footprint make it a great personal DNS resolver or a research tool to tap into DNS data. Strong filtering rules, and auto-configuration with etcd make it a great large-scale resolver solution. It also has strong support for DNS over TCP, in particular TCP Fast-Open, query pipelining and deduplication, and response reordering.\n\nFor more on using the resolver, see the [User Documentation][doc]. See the [Developer Documentation][doc-dev] for detailed architecture and development.\n\n## Packages\n\nThe latest stable packages for various distributions are available in our\n[upstream repository](https://pkg.labs.nic.cz/doc/?project=knot-resolver).\nFollow the installation instructions to add this repository to your system.\n\nKnot Resolver is also available from the following distributions' repositories:\n\n* [Fedora and Fedora EPEL](https://src.fedoraproject.org/rpms/knot-resolver)\n* [Debian stable](https://packages.debian.org/stable/knot-resolver),\n  [Debian testing](https://packages.debian.org/testing/knot-resolver),\n  [Debian unstable](https://packages.debian.org/sid/knot-resolver)\n* [Ubuntu](https://packages.ubuntu.com/jammy/knot-resolver)\n* [Arch Linux](https://archlinux.org/packages/extra/x86_64/knot-resolver/)\n* [Alpine Linux](https://pkgs.alpinelinux.org/packages?name=knot-resolver)\n\n### Packaging\n\nThe project uses [`apkg`](https://gitlab.nic.cz/packaging/apkg) for packaging.\nSee [`distro/README.md`](distro/README.md) for packaging specific instructions.\n\n## Building from sources\n\nKnot Resolver mainly depends on [KnotDNS][knot-dns] libraries, [LuaJIT][luajit], [libuv][libuv] and [Python][python].\n\nSee the [Building project][build] documentation page for more information.\n\n## Running\n\nBy default, Knot Resolver comes with [systemd][systemd] integration and you just need to start its service. It requires no configuration changes to run a server on localhost.\n\n```\n# systemctl start knot-resolver\n```\n\nSee the documentation at [knot-resolver.cz/documentation/latest][doc] for more information.\n\n## Running the Docker image\n\nRunning the Docker image is simple and doesn't require any dependencies or system modifications, just run:\n\n```\n$ docker run -Pit cznic/knot-resolver\n```\n\nThe images are meant as an easy way to try the resolver, and they're not designed for production use.\n\n## Contacting us\n\n- [GitLab issues](https://gitlab.nic.cz/knot/knot-resolver/issues) (you may authenticate via GitHub)\n- [mailing list](https://lists.nic.cz/postorius/lists/knot-resolver-announce.lists.nic.cz/)\n- [![Join the chat at https://gitter.im/CZ-NIC/knot-resolver](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/CZ-NIC/knot-resolver?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)\n\n[build]: https://www.knot-resolver.cz/documentation/latest/dev/build.html\n[doc]: https://www.knot-resolver.cz/documentation/latest/\n[doc-dev]: https://www.knot-resolver.cz/documentation/latest/dev\n[knot-dns]: https://www.knot-dns.cz/\n[luajit]: https://luajit.org/\n[libuv]: http://libuv.org\n[python]: https://www.python.org/\n[systemd]: https://systemd.io/\n[scaling]: https://www.knot-resolver.cz/documentation/latest/config-multiple-workers.html\n[manager]: https://www.knot-resolver.cz/documentation/latest/dev/architecture.html\n",
     'author': 'Aleš Mrázek',
diff --git a/tests/packaging/interactive/cache-clear.sh b/tests/packaging/interactive/cache-clear.sh
index 79d88a123..512096d63 100755
--- a/tests/packaging/interactive/cache-clear.sh
+++ b/tests/packaging/interactive/cache-clear.sh
@@ -1,14 +1,14 @@
 #!/usr/bin/env bash
 
 # clear full cache
-kresctl cache clear
+kresctl cache clear > /dev/null
 if [ "$?" -ne "0" ]; then
 	echo "Could not clear full cache"
 	exit 1
 fi
 
 # clear just example.com. AAAA record, get JSON output
-kresctl cache clear --json --exact-name --rr-type AAAA example.com. | python3 -m json.tool
+kresctl cache clear --json --exact-name --rr-type AAAA example.com. | python3 -m json.tool > /dev/null
 if [ "$?" -ne "0" ]; then
 	echo "Could not clear example.com. AAAA record or output is not a valid JSON"
 	exit 1
diff --git a/tests/packaging/interactive/etag.sh b/tests/packaging/interactive/etag.sh
index 3a9de46cc..d40f358f3 100755
--- a/tests/packaging/interactive/etag.sh
+++ b/tests/packaging/interactive/etag.sh
@@ -2,13 +2,9 @@
 
 set -e
 
-socket_opt="--unix-socket /var/run/knot-resolver/manager.sock"
+socket_opt="--unix-socket /run/knot-resolver/kres-api.sock"
 
-echo "  etag"
 etag="$(curl --silent $socket_opt --fail http://localhost:5000/v1/config -o /dev/null -v 2>&1 | grep ETag | sed 's/< ETag: //;s/\s//')"
-echo "  etag OK"
 
-echo "  status"
 status=$(curl --silent $socket_opt --fail  http://localhost:5000/v1/config --header "If-None-Match: $etag" -w "%{http_code}" -o /dev/null)
 test "$status" -eq 304
-echo "  status OK"
diff --git a/tests/packaging/interactive/metrics.sh b/tests/packaging/interactive/metrics.sh
index 63ac035d2..fbf2ff399 100755
--- a/tests/packaging/interactive/metrics.sh
+++ b/tests/packaging/interactive/metrics.sh
@@ -2,15 +2,15 @@
 
 set -e
 
-curl --silent --fail --unix-socket /var/run/knot-resolver/manager.sock http://localhost/metrics > /dev/null
+curl --silent --fail --unix-socket /run/knot-resolver/kres-api.sock http://localhost/metrics > /dev/null
 
-kresctl metrics
+kresctl metrics > /dev/null
 if [ "$?" -ne "0" ]; then
 	echo "Could not get metrics in JSON format"
 	exit 1
 fi
 
-kresctl metrics --prometheus
+kresctl metrics --prometheus > /dev/null
 if [ "$?" -ne "0" ]; then
 	echo "Could not get metrics in Prometheus format"
 	exit 1
diff --git a/tests/packaging/interactive/schema.sh b/tests/packaging/interactive/schema.sh
index 3ea45d522..9f6716538 100755
--- a/tests/packaging/interactive/schema.sh
+++ b/tests/packaging/interactive/schema.sh
@@ -1,14 +1,14 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -e
 
-kresctl schema
+kresctl schema > /dev/null
 if [ "$?" -ne "0" ]; then
 	echo "Failed to generate JSON schema with 'kresctl'"
 	exit 1
 fi
 
-kresctl schema --live
+kresctl schema --live > /dev/null
 if [ "$?" -ne "0" ]; then
 	echo "Failed to get JSON schema from the running resolver"
 	exit 1
diff --git a/tests/packaging/interactive/watchdog.sh b/tests/packaging/interactive/watchdog.sh
new file mode 100755
index 000000000..6e5e506a7
--- /dev/null
+++ b/tests/packaging/interactive/watchdog.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+set -e
+
+gitroot=$(git rev-parse --show-toplevel)
+cert_file=$gitroot/modules/http/test_tls/test.crt
+key_file=$gitroot/modules/http/test_tls/test.key
+
+tls_certificate_conf=$(cat <<EOF
+{
+    "cert-file": "$cert_file",
+    "key-file": "$key_file"
+}
+EOF
+)
+
+# configure TLS certificate files
+kresctl config set -p /network/tls "$tls_certificate_conf"
+if [ "$?" -ne "0" ]; then
+    echo "Could not set TLS certificate files."
+    exit 1
+fi
+
+function count_errors(){
+    echo "$(journalctl -u knot-resolver.service | grep -c error)"
+}
+
+function count_reloads(){
+    echo "$(journalctl -u knot-resolver.service | grep -c "Reloading of TLS certificate files has finished")"
+}
+
+# test modification
+# {{
+
+# modify certificate files with '-', it will trigger reload
+err_count=$(count_errors)
+rel_count=$(count_reloads)
+echo "-----------" >> $cert_file
+echo "-----------" >> $key_file
+
+# wait for files reload to finish
+sleep 6
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -eq $rel_count ]; then
+    echo "Could not reload modified TLS certificate files."
+    exit 1
+fi
+
+# }}
+
+# test replacement
+# {{
+
+rel_count=$(count_reloads)
+
+# copy cert files
+cp $cert_file test.crt.new
+cp $key_file test.key.new
+
+# edit new files
+echo "-----------" >> test.crt.new
+echo "-----------" >> test.key.new
+
+# replace files
+mv -f test.crt.new $cert_file
+mv -f test.key.new $key_file
+
+# wait for files reload to finish
+sleep 6
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -eq $rel_count ]; then
+    echo "Could not reload replaced TLS certificate files."
+    exit 1
+fi
+
+# }}
+
+# test recovery from deletion and creation
+# {{
+
+rel_count=$(count_reloads)
+
+# backup cert files
+cp $cert_file test.crt.backup
+cp $key_file test.key.backup
+
+# delete cert files
+rm $cert_file $key_file
+
+# create cert files
+mv test.crt.backup $cert_file
+mv test.key.backup $key_file
+
+# wait for files reload to finish
+sleep 6
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -eq $rel_count ]; then
+    echo "Could not reload created TLS certificate files."
+    exit 1
+fi
+
+# }}