Howto handle offline ksk

Hello,

signing a zone using ldns-signzone is easy. At least if ksk and zsk are both available.

I would like t change the setup so host2 as no access to ksk.private.
This is how I think things would go:

Host1:
   create a ksk
   create a zsk
   sign this zsk
   transfer ksk.public + zsk.private + zsk.sig to Host2

Host2:
   include {ksk/zsk}.public in zone
   include zsk.sig in zone
   sign zone
   transfer ksk.public (or the DS(ksk.public)) to the delegating domain.

any suggestions if this is correct and howto do that using ldns tools ?
( at least: ... not using bind tools ... )

Thanks,
Andreas

any suggestions if this is correct and howto do that using ldns tools ?

Only seven years have elapsed since you asked this question, and I hope you've
not been holding your breath.

I was asked yesterday and decided I should do something [1] about it. For
posterity I mention this here.

  -JP

[1] https://jpmens.net/2022/09/22/dnssec-signing-with-an-offline-ksk/