[dns-operations] DS keys for child zones on same server & inline signing

[Evan Hunt]

> > I thought that wasn't necessary with inline-signing mode.
> 
> Right, but I think inline-signing implies either DNS UPDATE or IXFR.
> Manually editing a zone file without rolling the journal back in first is
> universally bad, I think.

Tony's correct -- with inline-signing, the zone loads a "raw" copy of
the zone, clones it into a "signed" copy, and then adds signatures only
to the signed one.  You can configure it so the raw side is dynamic and
can receive DDNS updates, but you don't have to.  If it's configured
like a plain old vanilla static zone, then you don't need to freeze it;
modifying the original zone file (not forgetting to bump the serial number)
and running "rndc reload" should Just Work.

This may be a bug, I'll try it and see.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.