use CDS records in dnssec-checkds
The only standard way to know what a zone's DS records should be is to look at its CDS/CDNSKEY records. There are software-specific ways that inspect the signer's key store. And by itself the DNSKEY RRset is not enough during a rollover.
This patch series adds support for child-side DS management, for use by delegation update scripts, such as registrar API clients.
These scripts can use
dnssec-dsfromkey -k -f to get the expected DS records from a zonefile (or just the DNSKEY, CDNSKEY, and CDS records) without having to reimplement the logic themselves (e.g. skipping revoked keys, skipping SHA-1, etc.)
dnssec-checkds uses this new mode to correctly check consistency during rollovers.