diff --git a/roles/knot/tasks/main.yml b/roles/knot/tasks/main.yml
index f7aa584..302fc5a 100644
--- a/roles/knot/tasks/main.yml
+++ b/roles/knot/tasks/main.yml
@@ -16,17 +16,24 @@
 
 - name: Generate tsig
   become: yes
-  ansible.builtin.shell: keymgr -t {{ key_name }} > /etc/knot/{{ key_name }}.key
-  args:
-    creates: /etc/knot/{{ key_name }}.key
-  when: "inventory_hostname in groups.primary"
+  ansible.builtin.shell:
+    cmd: "keymgr -t {{ key_name }} > /etc/knot/{{ key_name }}.key"
+    creates: "/etc/knot/{{ key_name }}.key"
+  run_once: True
 
 - name: Fetch key
   become: yes
   ansible.builtin.slurp:
     src: /etc/knot/{{ key_name }}.key
   register: tsig_key
-  when: "inventory_hostname in groups.primary"
+  run_once: True
+
+- name: Populate key to all host
+  set_facts:
+    tsig_key_content: {{ tsig_key['content'] | b64decode }}
+  run_once: True
+  with_items: "{{ play_hosts }}"
+  delegate_to: "{{ item }}"
 
 - name: Deploy conf
   become: yes
diff --git a/roles/knot/templates/knot.conf.j2 b/roles/knot/templates/knot.conf.j2
index 576ca3c..8901739 100644
--- a/roles/knot/templates/knot.conf.j2
+++ b/roles/knot/templates/knot.conf.j2
@@ -7,7 +7,7 @@ log:
   - target: syslog
     any: info
 
-{{ tsig_key.content | b64decode }}
+{{ tsig_key_content }}
 
 remote:
 {% for host in groups.all %}