APPKEY: where to store application keys?
storing non-DNS keys in a KEY RR under the same (delegated) zone name make these keys part of the same RRset as the zone signing key(s).
then this RRset needs re-signing (presently by the parent) each time these non-DNS keys change.
this is bad and should stop.
but where should we put those keys instead?