> I was making the point that
> TSIG keys stored in key files (produced by dnssec-keygen)
> located in "keys-directory" are ignored
> by named and and are not usable in zone "update-policy".
> 
> Maybe this could be a way how to separate keys from
> named config file and to allow dynamic key management
> at run-time (with an equivalent of rndc loadkeys
> for these TSIG keys).

Interesting idea. I submitted it to the suggest queue as
RT #37903.

If I wanted to do something like this using current BIND,
I'd generate keys using "ddns-confgen -q", concatenate them
into a named.conf include file, and run "rndc reconfig".