usually zone transfer is done automatically between the zone's Master and Slave DNS BIND servers. On the secondary DNS server(s) the zone is defined as 'zone type slave' in named.conf then.
All editorial changes to a zone file will be done at the master only, with the slaves left untouched.
Zone transfers are initiated by the slaves automatically according to the zone's Refresh/Retry/Expiry timer values, or ad-hoc on receiving a 'notify' on a changed serial in the master zone file.
usually zone transfer is done automatically between the zone's Master and Slave DNS BIND servers.
On the secondary DNS server(s) the zone is defined as 'zone type slave' in named.conf then.
What makes your environment difficult and complicated is the fact that you ecxpect your slaves to be able to pull different zones from different masters ('Prod' and 'backup').
Don't know how to do that. AFAIK, there can be only one master, and all nameservers must be specified with your domain name registrar to be delegated in the domain.TLD root zone beforehand. There is no such thing as a 'backup' name server -- either it is there (in the TLD zone) and known and active, or it is not, and fiddling with your registrar with the TLD NS entries may add another level of complication (and additional propagation delay).
Perhaps the following approach may help:
-- DNS should be seen independently from your web services. If you would have one DNS master at a separate server, your capability to change DNS information would not fail when your web server fails.
-- 3 DNS servers: DNS1(master), DNS2(slave), DNS3(slave), each having an NS record in the zone file and listed with your domain name registrar.
-- If your webservice1 fails, you could just reload an alternate zone at the master (with updated serial) to point to webservice2, which would notify any surviving slave to trigger an ad-hoc zone transfer instantly.
-- If your master DNS fails, the slave(s) should survive on their own for several days if you have set the zone's Refresh/Retry/Expiry timer values accordingly. Enough time to decide to bring up the master again, or reconfigure DNS3 to become a new master and change the remaining slaves' config accordingly to point to the new master.
I am no expert, but this would perhaps work for me.
Hope that helps.