How to keep the KSK private key offline with BIND dynamic signing?

Tried to include DNSKEY, RRSIG for the KSK manually in the unsigned zone file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key). The dnssec-signzone succeeded, even though it was complaining about the path for KSK. # dnssec-signzone-pkcs11 example.com dnssec-signzone: warning:

Re: native pkcs#11 and dynamic signing issues

The issue is fixed. I was using the default named daemon, which is not aware of the native pkcs#11 compiled in. Started named-pkcs11 fixed a couple of permission issues, and it worked. # rndc sign example.com received control channel command 'sign example.com' zone sa/IN (signed): reconfiguring z