Implement an equivalent of ldns compare-zones, ideally including the ability of doing a comparison of the unsigned content between a signed version of a zone against its unsigned input.
Perhaps in a manner suggested by https://www.ietf.org/archive/id/draft-johani-tld-zone-pipeline-02.html#name-resulting-design-consequenc:
The requirement on being able to prove that no unsigned data has been modified during signing is most efficiently fullfilled by computing the ZONEMD checksum on the unsigned data after signing (i.e. the signed zone modulo the DNSSEC related records DNSKEY, RRSIG. NSEC, NSEC3, NSEC3PARAM, apex CDS and CDNSKEY) and comparing that to the ZONEMD checksum for the corresponding unsigned zone.
Implement an equivalent of ldns compare-zones, ideally including the ability of doing a comparison of the unsigned content between a signed version of a zone against its unsigned input.
Perhaps in a manner suggested by https://www.ietf.org/archive/id/draft-johani-tld-zone-pipeline-02.html#name-resulting-design-consequenc: