Create keys when necessary
BIND 9 has a (currently unused) zone flag
DNS_ZONEKEY_CREATE that may be set to create DNSSEC keys when needed.
This will be set if a
dnssec-policy is configured. We could also introduce a new value for
auto-dnssec: next to
maintain a new option
full will do the same as
maintain but also create keys if necessary.
This will create keys if at startup the zone has no matching keys, or if a rollover is initiated and there are no successor keys.