advice wanted: key management for nsupdate/DNSSEC

[Richard Doty]

Greetings,

I am wondering how folks handle keys for zones that are going
to be signed with nsupdate.

It appears that named wants the zone signing keys to be in the
location identified by the "directory" parameter, yes?  Putting
all keys in one directory seems like a scaling issue, besides which
I believe that particular directory needs to be writable by named
so it can create core files.  I have to leave the keys online for
nsupdate, but named doesn't need to modify them itself.

It would be cool if the location of per-zone keys were a per-zone
configuration parameter, but I can't find any suggestion of that
in the code.  Maybe I'm looking in the wrong place.

How do you manage your nsupdate keys?

Thanks,

Richard.