I think nips 26 and 46 address this issue, and nsecbunker is an existing solution based on that spec.
I haven't read those nips, but I will.
reply