Don't read private key files for offline KSKs

When we are appending contents of a DNSKEY rdataset to a keylist,
don't attempt to read the private key file of a KSK when we are in
offline-ksk mode.

lib/dns/dnssec.c

@@ -1599,6 +1599,13 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
 		}
 		RETERR(result);
 
+		if (kasp != NULL && dns_kasp_offlineksk(kasp) &&
+		    (dst_key_flags(dnskey) & DNS_KEYFLAG_KSK) != 0)
+		{
+			result = ISC_R_NOPERM;
+			goto addkey;
+		}
+
 		/* Now read the private key. */
 		result = keyfromfile(
 			kasp, directory, dnskey,
@@ -1664,6 +1671,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
 				      filename, isc_result_totext(result));
 		}
 
+	addkey:
 		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
 			if (pubkey != NULL) {
 				addkey(keylist, &pubkey, savekeys, mctx);

lib/dns/include/dns/dnssec.h

@@ -325,6 +325,9 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
  * 'keysigs' and 'soasigs', if not NULL and associated, contain the
  * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
  * whether a key is already active in the zone.
+ *
+ * Private key files for keys with the KSK role are skipped if kasp is in
+ * offline-ksk mode.
  */
 
 isc_result_t