Improvements to dnssec-verify
This is both a bug report and a feature request.
dnssec-verify is not finding everything that is wrong with a zone, possibly because it is only looking for faults that would cause its RRs to fail validation and/or it is ignoring RRsets that ordinarily would be considered to be occluded, even though their DNSSEC-state is ambiguous in the zone itself.
BIND version used
Potential new features/fixes
Detect RRsets that are DNSSEC-signed that shouldn't be because they're out-of-zone - for example necessary glue, unnecessary glue (usually occluded) and DNSKEY RRs that have inappropriately been added to the parent along with the DS RRs.
Check that the NSEC/NSEC3 RRs don't 'cover' any RTYPEs that they should not (I'm assuming that the check already includes matching the RRsets at the name being covered with the type list)
Better 'this is broken' error messages detailing what is wrong, particularly when it is that an NSEC/NSEC3 chain is broken
Match NSEC3 RRs to the names that they cover when reporting problems
Add an option for retrospective checking of a historic copy of a zone file by introducing an option to provide a date/time to be treated as 'now' for the purposes of DNSSEC validation