Today, we released version 4.6.0 of the authoritative DNS nameserver NSD.
This release adds the zone verification support from the CreDNS code. There are also some bug fixes in the ixfr out code.
Zone verification can start a verifier program that reads the new zone data. It can reject the update. Or process the new zone data. The intent is for a DNSSEC verifier to inspect the zone before it is passed on with zone transfer or served to clients.
The zone verification can be enabled with enable: yes in the verify section in nsd.conf. You can then list the interfaces the NSD listens on while the verifier is active, so it can send queries for the new zone contents. With verify-zones: yes zones are verified by default. The command that is executed can be set with the verifier: ldns-verify-zone option. With verifier-count the max number of concurrent verifiers can be set. With the verifier-feed-zone: yes option the zone can be input on stdin to the verifier program. A timeout to stop the verifier can be set with the verifier-timeout option.
Per zone options can also be set for a pattern or for a zone, for zone verification. With verify-zone the zone verification can be enabled per zone. The verifier can be set per zone. And the verifier-feed-zone and verifier-timeout options can be controlled per zone.
You can get source packages of this version from the downloads page.