diff --git a/.gitignore b/.gitignore
index 706eb41..a7dfbbe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
 /*.tar.gz
-/data/servnest.db
 /logs/certbot/letsencrypt.log*
 /data/certbot/live/*/*.pem
 /data/certbot/archive/*/*.pem
@@ -19,13 +18,22 @@
 /logs/nginx/servnest-access.log
 /logs/nginx/error.log
 /logs/apache/error.log
+/logs/knot/knot.log
+/logs/knot-secondary/knot.log
 /data/certbot/accounts/acme-staging-v02.api.letsencrypt.org/directory/*/*.json
 /sock/knot/knot.pid
+/sock/knot-secondary/knot.pid
 /data/knot/*/*.mdb
+/data/knot/keys/quic_key.pem
 /data/knot/keys/keys/*.pem
 /data/knot/servnest.test.invalid.zone
+/data/knot-secondary/*.zone
+/data/knot-secondary/*/*.mdb
+/data/knot-secondary/keys/quic_key.pem
 /tmp/tor/*
 /tmp/cronie/cron.reboot
 /tmp/php/exec.txt
 /tmp/php/index.html
+/tmp/php/sess_*
+/tmp/php/cookie-*
 /tmp/*/*.pid
diff --git a/README.md b/README.md
index c25f175..100748b 100644
--- a/README.md
+++ b/README.md
@@ -11,12 +11,7 @@ no_hosts=true
 ```
 
 ```shell
-knotc --confdb data/knot/confdb conf-import conf/knot.conf
-cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
-cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
-chmod u=rwX,g=rX,o=rX -R conf core
-chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme tmp/apache tmp/nginx-run tmp/php data/reg data/reg/*.zone core/db core/db/servnest.db
-chmod u=rwX,g=rX,o= sock/tor-control
+./reset.sh
 wget https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/x86_64/alpine-minirootfs-3.21.0-x86_64.tar.gz
 wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.4.tar.gz -O sftpgo-v2.6.4.tar.gz
 sha256sum -c sha256sums
@@ -32,6 +27,8 @@ podman-compose build # build services images
 ### Run
 
 ```shell
+podman-compose up knot knot-secondary # generate QUIC keys
+./setup-xoq.sh # setup mutual XFR over QUIC
 podman-compose up # start containers
 podman-compose exec php php /srv/servnest/core/jobs/check.php # test main features
 ```
diff --git a/compose.yaml b/compose.yaml
index 437af7b..4a35f2d 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -39,13 +39,35 @@ services:
     build:
       dockerfile: knot.Containerfile
     ports:
-      - "[::1]:42053:42053/udp"
-      - "[::1]:42053:42053/tcp"
+      - "[::1]:42053:53/udp"
+      - "[::1]:42053:53/tcp"
+      - "[::1]:42853:853/udp"
     volumes:
       - ./data/reg/:/srv/servnest/reg/:rw
       - ./data/ns/:/srv/servnest/ns/:rw
       - ./data/knot/:/var/lib/knot/:rw
+      - ./logs/knot/:/var/log/knot/:rw
       - ./sock/knot/:/run/knot/:rw
+    networks:
+      snet:
+        ipv4_address: 10.5.0.51
+  knot-secondary:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: knot.Containerfile
+    ports:
+      - "[::1]:42054:53/udp"
+      - "[::1]:42054:53/tcp"
+      - "[::1]:42854:853/udp"
+    volumes:
+      - ./data/knot-secondary/:/var/lib/knot/:rw
+      - ./logs/knot-secondary/:/var/log/knot/:rw
+      - ./sock/knot-secondary/:/run/knot/:rw
+    networks:
+      snet:
+        ipv4_address: 10.5.0.52
   apache:
     extends:
       file: base.yaml
@@ -90,6 +112,7 @@ services:
       - ./sock/tor-client/:/run/tor-client/:rw
       - ./sock/tor-control/:/run/tor-control/:rw
       - ./sock/knot/:/run/knot/:rw
+      - ./sock/knot-secondary/:/run/knot-secondary/:rw
       - ./logs/php/:/var/log/php83/:rw
       - ./logs/certbot/:/var/log/letsencrypt/:rw
       - ./tmp/acme/:/srv/servnest/acme/:rw
@@ -134,3 +157,10 @@ services:
       - ./tmp/nginx/:/var/lib/nginx/tmp/:rw
       - ./tmp/nginx-run/:/run/nginx/:rw
       - ./tmp/acme/:/srv/servnest/acme/:ro
+networks:
+  snet:
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 10.5.0.0/16
+         gateway: 10.5.0.1
diff --git a/conf/knot-secondary.conf b/conf/knot-secondary.conf
new file mode 100644
index 0000000..4fa9876
--- /dev/null
+++ b/conf/knot-secondary.conf
@@ -0,0 +1,33 @@
+server:
+    version: ""
+    nsid: ""
+    rundir: "/run/knot"
+    listen: [ "::@53", "0.0.0.0@53", "/run/knot/dns.sock" ]
+    listen-quic: [ "::@853", "0.0.0.0@853" ]
+    automatic-acl: "on"
+
+log:
+  - target: stderr
+    any: warning
+  - target: "/var/log/knot/knot.log"
+    any: debug
+
+database:
+    storage: "/var/lib/knot"
+
+remote:
+  - id: "primary"
+    address: [ "10.5.0.51@853" ]
+    quic: on
+    cert-key: "0000000000000000000000000000000000000000000=" # will be replaced by setup-xoq.sh
+
+template:
+  - id: "servnest"
+    storage: "/var/lib/knot"
+    master: "primary"
+
+zone:
+  - domain: "servnest.test.invalid."
+    master: "primary"
+    catalog-role: interpret
+    catalog-template: "servnest"
diff --git a/conf/knot.conf b/conf/knot.conf
index a4f3b24..a838792 100644
--- a/conf/knot.conf
+++ b/conf/knot.conf
@@ -2,12 +2,15 @@ server:
     version: ""
     nsid: ""
     rundir: "/run/knot"
-#    user: "knot:knot"
-    listen: [ "::1@42053", "127.0.0.1@42053", "/run/knot/dns.sock" ]
+    listen: [ "::@53", "0.0.0.0@53", "/run/knot/dns.sock" ]
+    listen-quic: [ "::@853", "0.0.0.0@853" ]
+    automatic-acl: "on"
 
 log:
   - target: stderr
     any: warning
+  - target: "/var/log/knot/knot.log"
+    any: debug
 
 database:
     storage: "/var/lib/knot"
@@ -21,10 +24,16 @@ policy:
     delete-delay: 60d
     dnskey-management: "incremental"
 
+remote:
+  - id: "secondary"
+    address: [ "10.5.0.52@853" ]
+    quic: on
+    cert-key: "1111111111111111111111111111111111111111111=" # will be replaced by setup-xoq.sh
+
 template:
   - id: "servnest"
     storage: "/srv/servnest/ns"
-    file: "%s.zone"
+    notify: "secondary"
     zonefile-load: "whole"
     journal-content: "all"
     dnssec-signing: "on"
@@ -34,6 +43,7 @@ template:
 
 zone:
   - domain: "servnest.test.invalid."
+    notify: "secondary"
     zonefile-load: "whole"
     journal-content: "all"
     catalog-role: "generate"
diff --git a/data/knot-secondary/.gitkeep b/data/knot-secondary/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/data/knot-secondary/journal/.gitkeep b/data/knot-secondary/journal/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/data/knot-secondary/keys/keys/.gitkeep b/data/knot-secondary/keys/keys/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/data/knot/journal/.gitkeep b/data/knot/journal/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/data/knot/keys/keys/.gitkeep b/data/knot/keys/keys/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/knot.Containerfile b/knot.Containerfile
index 6ceed28..4ef8f7c 100644
--- a/knot.Containerfile
+++ b/knot.Containerfile
@@ -1,4 +1,4 @@
 FROM servnest-alpine
-RUN apk add knot
+RUN apk add knot knot-utils
 USER knot
 CMD ["knotd", "--confdb", "/var/lib/knot/confdb/"]
diff --git a/logs/knot/.gitkeep b/logs/knot/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/permissions.sh b/permissions.sh
new file mode 100755
index 0000000..f66b6f6
--- /dev/null
+++ b/permissions.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+chmod u=rwX,g=rX,o=rX -R conf core
+chmod u=rwX,g=rwX,o=rwX \
+	logs/sftpgo \
+	logs/php \
+	sock/php \
+	logs/apache \
+	logs/nginx \
+	logs/knot \
+	logs/knot-secondary \
+	sock/tor-client \
+	sock/nginx-onion \
+	sock/knot \
+	sock/knot-secondary \
+	data/ht/fs \
+	data/knot \
+	data/knot-secondary \
+	data/knot/journal \
+	data/knot-secondary/journal \
+	data/knot/confdb \
+	data/knot-secondary/confdb \
+	data/knot/confdb/*.mdb \
+	data/knot-secondary/confdb/*.mdb \
+	data/knot/keys \
+	data/knot-secondary/keys \
+	data/knot/keys/keys \
+	data/knot-secondary/keys/keys \
+	tmp/nginx \
+	tmp/certbot \
+	tmp/acme \
+	tmp/apache \
+	tmp/nsd \
+	tmp/nsd-run \
+	tmp/nsd-run/nsd \
+	tmp/nginx-run \
+	tmp/php \
+	data/reg \
+	data/reg/*.zone \
+	core/db \
+	core/db/servnest.db
+chmod u=rwX,g=rX,o= sock/tor-control
diff --git a/reset.sh b/reset.sh
new file mode 100755
index 0000000..ad53f8c
--- /dev/null
+++ b/reset.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+rm -f data/knot/*/*.mdb
+rm -f data/knot/keys/keys/*.pem
+rm -f data/knot/keys/quic_key.pem
+rm -f data/reg/servnest.test.zone
+rm -f data/reg/test.servnest.test.zone
+rm -f data/knot-secondary/*/*.mdb
+rm -f data/knot-secondary/keys/keys/*.pem
+rm -f data/knot-secondary/keys/quic_key.pem
+
+knotc --confdb data/knot/confdb conf-import conf/knot.conf
+knotc --confdb data/knot-secondary/confdb conf-import conf/knot-secondary.conf
+cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
+cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
diff --git a/setup-xoq.sh b/setup-xoq.sh
new file mode 100755
index 0000000..3dbfdda
--- /dev/null
+++ b/setup-xoq.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+ENGINE="docker"
+
+$ENGINE-compose exec knot-secondary knotc conf-begin
+$ENGINE-compose exec knot-secondary knotc conf-unset remote[primary].cert-key
+$ENGINE-compose exec knot-secondary knotc conf-set remote[primary].cert-key $($ENGINE-compose exec knot cat /var/log/knot/knot.log | grep "certificate public key" | cut -d " " -f 7 | tail -1)
+$ENGINE-compose exec knot-secondary knotc conf-commit
+
+$ENGINE-compose exec knot knotc conf-begin
+$ENGINE-compose exec knot knotc conf-unset remote[secondary].cert-key
+$ENGINE-compose exec knot knotc conf-set remote[secondary].cert-key $($ENGINE-compose exec knot-secondary cat /var/log/knot/knot.log | grep "certificate public key" | cut -d " " -f 7 | tail -1)
+$ENGINE-compose exec knot knotc conf-commit