It is not enough that the other node does not forge any more. Assume you want to change from
node2. Then you need to basically do the following:
- Deactivate forging on
- Get last block
A forged by
- Use last block
A to initialize the forging on
The last step ensures that
node2 is on the correct chain and does not cast contradicting consensus votes that could lead to a protocol violation. See the links posted by @michielmulders for details.
Note that Lisk SDK 3.0 uses a new improved consensus algorithm which avoids that nodes do not forge because of low Broadhash consensus (actually there is no Broadhash any more). Therefore, it should not be necessary to have multiple forging servers to guarantee high availability.
If you are worried about DoS attacks, then a sentry architecture good be a good solution:
- 1 server which forges block, but which keeps it IP address private. This can be achieved by only connecting to trusted fixed peers and not advertise your IP, see LIP 0004 for details.
- Multiple servers that do not forge and run default p2p configuration with whitelisting the forging server. This means that the IP address of these servers is broadcast as part of the normal P2P discovery in lisk-p2p. The private forging server only connects these trusted public nodes.
This setup ensures that the IP of the forging server is never known to anyone in the Lisk P2P network except for the trusted public nodes.