move expired/removed zone keys to a different directory
Currently the configured key-directory holds both current and expired zone keys. With a dnssec-policy rotating keys on a regular basis, expired keys accumulate over time, and as they are placed in the same key-directory as current keys, it would be easy for an administrator trying to archive/remove expired keys to get it wrong and mistakenly remove keys that are still in use. Maybe moving expired keys to a different location would help reduce the risk of such mistakes ?
- Allow specifying a different directory for expired keys to be automatically moved to.
- By default, keys in that archive directory should not show in rndc dnssec -status output.