zone-statusin knotc and check serial numbers and other data on slave and compare them with master server.
it doesn't work with onlinesignwants to say that if online signing is enabled, which means the module is responsible for key rollovers,
must not be disabledand
must be enabled. It should mean
cds-cdnskey-publishis not set to
none! So if you keep the default, it's ok.
automatic zone signing(https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#automatic-dnssec-signing) with
online signing(https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#onlinesign-online-dnssec-signing)! Most of our user use normal signing (I guess it's also your case), for whom the ds-push feature is intended.