'inline-signing' might go away and be replaced by dnssec-policy ?

Wed Oct 26 17:55:13 UTC 2022

ls -1 keys/dnssec/example.com/
	(empty)

ls -1 namedb/primary/example.com*
	namedb/primary/example.com.zone    <====== ORIGINAL, unsigned zone file

cat etc/named.conf
	...
	zone "example.com" IN {
		type master; file "namedb/primary/example.com.zone";
		dnssec-policy "test";
		key-directory "keys/dnssec/example.com";
		update-policy {
			grant local-ddns zonesub any;
			grant test-key zonesub txt;
		};
	};
	...

rndc reload

ls -al keys/dnssec/example.com/
	keys/dnssec/example.com/Kexample.com.+013+22094.key
	keys/dnssec/example.com/Kexample.com.+013+22094.private
	keys/dnssec/example.com/Kexample.com.+013+22094.state
	keys/dnssec/example.com/Kexample.com.+013+51905.key
	keys/dnssec/example.com/Kexample.com.+013+51905.private
	keys/dnssec/example.com/Kexample.com.+013+51905.state

ls -1 namedb/primary/example.com*
	namedb/primary/example.com.zone    <====== OVERWRITTEN, *signed* zone file
	namedb/primary/example.com.zone.jnl