Zone Integrity with ZONEMD

Zone integrity: Installing ldns-zone-digest (here, on Ubuntu):

$ sudo apt install build-essential git dnsutils libldns-dev man
$ git clone https://github.com/verisign/ldns-zone-digest
$ cd ldns-zone-digest
$ make
$ sudo cp ldns-zone-digest /usr/local/bin
$ sudo mkdir -p /usr/local/man/man1
$ sudo cp /root/ldns-zone-digest/ldns-zone-digest.1 \
    /usr/local/man/man1
$ cd /etc/bind/zones/example.org

Adding ZONEMD record:

$ sudo ldns-zone-digest -p  1,1 -o example.org.hashed -c example.org example.org
Loading Zone...4 records
Remove existing ZONEMD RRset
Add placeholder ZONEMD with scheme 1 and hash algorithm 1

Testing:

$ ldns-zone-digest  -v  example.org example.org.hashed
Modify zone content (add record, make a change to SOA serial)
Loading Zone...5 records
Found and calculated digests for scheme:hashalg 1:1 do NOT match.
Found     : 9d5e8bb15bace00ed7e69f46f5868102931dd1647d23de829380e48bf39a9e779ddc49365d029ef243d32568e80fbd57
Calculated: 2720148638160fc5cf8778462cdf572c13d78b68de1c960081d6d5c28c747d035119cae84b0921c2990bbf80500faff9

Put hashed zone in production:

$ sudo mv exampled.org.hashed example.org

Subsequently, one would regularly:

1. Transfer the zone from the remote authoritative servers (or install ldns-zone-digest) on all authoritative servers
2. Run a verification as above to test the contents and ensure that all zones pass validation

This will detect corruption of the records, or if the zone was truncated during transfer.