[knot-dns-users] Active and backup signer

Hi, We're migrating our signer from OpenDNSSEC to Knot 3.0. Our new design will have one active signer and at least one backup signer. Zone data is deployed from git to both signers. We've got syncing of the keys working using `knotc zone-backup +nozonefile` and `knotc zone-restore +nozonefile`. I'm still unsure of how hot to keep the standby. In the dev env now I have the standby set to a manual dnssec policy to keep it from rolling it's keys. The keys are synced from the active signer every hour. Both the active and the backup signers are creating signatures but SOA serials don't match. Both signers have `serial-policy: dateserial` and `zonefile-sync: -1` but we're considering adding `zonefile-load: difference-no-serial`. We've discussed stopping signing on the backup altogether and including the zonefiles in the backup. The problem we have with this idea is that problems with signing on the backup won't be discovered until it goes active. Are other people doing active-backup signers and how do you set it up? .einar