Implement ZoneMD signature generation and verification.
ZoneMD is described in https://datatracker.ietf.org/doc/html/rfc8976.
The record type currently implemented #867 (closed).
ZONEMD generation and verification needs to be add to both dnssec-signzone and named.
ZONEMD verification needs to be added to dnssec-verify. Does this need a seperate flag to say to expect ZONEMD?
There needs to be a way to signal to named that ZONEMD generation is to be performed for a UPDATABLE zones. This generation will need to be performed in the post update stage and must be completed before the UPDATE request is responded to. This needs to occur after the zone's serial is computed. The NSEC and NSEC3 records generation for the zone apex needs to aware of whether ZONEMD is to be generated to not. If ZONEMD generation ends up requiring the zone to be walked incrementally we will need to delay other updates to the zone until ZONEMD completes. ZONEMD must be included in each delta for a zone that is being updated.
There needs to be a way to signal to named that ZONEMD should be generated for inline zones. Similar requirements to UPDATABLE zones apply to inline zones as well.
There needs to be a way to signal to named that ZONEMD validation needs to be performed for a zone. This needs to complete before the zones contents are made visible to clients. This needs to be performed for both IXFR and AXFR. This may need to be performed incrementally. If it is being performed incrementally other transfers of the zone need to be deferred.
For IXFR do we need to check ZONEMD for each delta or only at the end of the final delta of a IXFR?
For dnssec-signzone we need a way to signal that ZONEMD should be generated.
For dnssec-signzone do we need a seperate flag to verify the ZONEMD or do we use the existing flag.
For dnssec-signzone what is the behaviour if the existing zone has a ZONEMD? Do we have a "auto" state?
What impact does this have on kasp?