Re: [knot-dns-users] Active and backup signer

On 14/12/2020 10:26, Einar Bjarni Halldórsson wrote: Hi Einar, [snip] We have a pair of signers, an active one, and a standby. Both get copies of the zones, and sign them. However, we only do XFR out of the active signer for distribution. On the active signer, we make backups of the keys, but we don't restore them to the standby signer. We have a procedure in place so that if the active signer fails for any reason, we can then restore its keys to the standby signer. We feel that this manual step is better, so that we have a controlled switch-over to the standby. Both of our signers are configured to roll their keys, so the standby signer is obviously out of sync now. However, if we need to switch to it, then we would first restore the active signer's keys to it, make it re-sign all the zones, and then switch. Regards, Anand