[Opendnssec-user] ODS2 signs a hidden-primary's zone data: best to push the signed data back to the primary to push to secondaries? or skip it, and let ODS2 populate them?

[PGNet Dev]

I'm adding ODS2 to my DNS infrastructure.

Atm, I've a hidden DNS primary, running split-view (external & internal) BIND9, located inside my LAN.

Only the LAN/24 sees the internal view.

The external sends NOTIFY to a hidden secondary on a VPS, which is NSD4.

My VPS-provider's nameservers pull changes from the hidden secondary instance, and publish responses publicly.

ODS2 execs atm on the same box as the hidden-primary, inside my LAN.

It retrieves zone data from the primary by AXFR, and listens for NOTIFY from it as well.

ODS2 then signs the data ... and either

(1) I can push the resulting ODS2-signed zones back to the hidden-primary's external view, and have Bind9 push the changes up through the secondary, etc.

Or,

(2) I can have ODS2 NOTIFY the secondary itself, pushing the signed-zone data onto the VPS instance, and never bother keeping an instance of the signed-zone data "in" the primary's zone data.

Is there any particular reason/advantage of keeping a local instance of the SIGNED zone data 'active' in the hidden-primary's external view, vs. just pushing it out to the secondary directly, still letting the ISP's nameservers consume/publish it from there?

Or is it simply a matter of convenience/preference, with no particular advantage one way or the other?