Zigbee Coordinator Failover

I want to build a fault-tolerant network, and one of the concerns is the zigbee coordinator failover to a different device.

I am a smart home enthusiast and I have a some background in high availability servers, so I decided that my smart home must be fault tolerant.

I have a Home Assistant server and a number of zigbee devices on my network. Home Assistant server has an XBee and is a coordinator for the network. I want to have a server in a different location of my house that will be able to completely replace the primary coordinator in case of a disaster. All devices must remain in the same network, and request to 0000 address must be routed to the new coordinator.

I’ve read https://www.digi.com/resources/documentation/Digidocs/90002002/Content/Concepts/c_zb_replacing_coordinator.htm , but I am not ready to disable encryption. Is some solutions with encryption available?

If I configure both with the same key with KY, would that be enough?

See https://www.digi.com/resources/documentation/digidocs/90002002/default.htm#Concepts/c_zb_replacing_coordinator.htm?Highlight=Coordinator%20replacement

I already did (as noted in my question) and it doesn’t cover the encryption part.

With encryption enabled, there is no way to replace the coordinator without issuing a network reset. That is by design.

Please, I would like to know some more details on the design and why it is not possible.
For instance:

1. Is it still true if I assign the same network key to the secondary coordinator?
2. What if I make the secondary coordinator node a trust center?
3. Can’t devices that already joined the network communicate directly without a coordinator? If I remove the coordinator and then promote one of the routers to coordinator, would that work? I.e. would it receive requests on 0000 address.

P.S. I am aware I can’t have two coordinators simultaneously on.

4. What if I have a distributed trust center, should that allow me to replace a node?

Using a trust center is what keeps you from being able to replace the coordinator as it is the trust center.

May I ask you to elaborate more on this? If the network key is shared between other nodes, why can’t one of them be promoted to a new trust center?

The trust center can’t be replaced. It is part of the Zigbee standard. Think about it, if you could replace the trust center, then the network can be Hy jacked.

I believe it cannot be hijacked if the attacker needs to know the network key prior to the attack.
Does the standard explicitly say ‘This is not allowed. period.’, or it defines some features that prevents me to do it? If the former, it would be no harm if I just violate it. If the latter, I want to know exactly what those features are.

Yes, it does. The standard does not allow for the Trust center to be replaced. It is the one item that can’t be replaced without re-forming the network. In Digi’s case, the trust center is the coordinator. So in an encrypted network where use you are using a trust center, you can’t replace the coordinator without issuing a network reset.

I believe Digi will be releasing a new firmware version in the next quarter that may add this feature on the newer XBee 3 products.

Yes. If you are using the Digi XBee 3 Zigbee 3 module, you will be able to swap out or create a back-up coordinator once that new version is released. This functionality might not be added to previous (non XBee3) releases such as the Digi XBee S2C due to memory constraints on that hardware.

Was this ever released and is it available? I’m also looking for a fault tolerant solution to ZB since I have so many devices in my home now.

The ability to replace a Coordinator without a Trust Center enabled is released. But if you are using a Trust Center, no, it was not part of the Zigbee standard. To replace the Trust Center, you must re-form the network.