[dns-operations] Implementation of negative trust anchors?

[Phil Regnauld]

Carlos M. Martinez (carlosm3011) writes:
> I agree, triggering some script after certain events and condition zone acceptance to the result of the script is a nice approach. I like it.

	This is the recommended approach for any zone production system, DNSSEC
	or not. Content (truncated zones, premature end of file), logical (missing
	NSes, broken SOA) or syntactical (5 byte IPv4 addresses. Really.), etc...
	That's why validns was written in the first place (that, and checking
	DNSSEC signatures). At every step (output from DB, pre-signature, post-
	signature, etc), verify. Rollback otherwise (or just don't publish).