CDS / CDNSKEY Child side processing. * We need a mechanism to say that key should have a cds publish start/end dates. * We need a mechanism to say that key should have a cdnskey publish start/end dates - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel - update K* files * dnssec-signzone should add cds and/or cdnskey to zone apex iff the DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY records are only removed if there is a deletion date set (implicit on matching DNSKEY going inactive / unpublished or explicit). Non-matching CDS and CDNSKEY are removed. * dnssec-policy publishes cds and/or cdnskey to zone apex iff the DNSKEY is published, is signing the DNSKEY RRset, and if it has been propagated into caches. CDS and CDNSKEY records are removed if the corresponding DNSKEY has been removed from zone and caches. * UPDATE should check that CDS and CDNSKEY match a active DNSKEY that is signing the DNSKEY RRset and ignore otherwise. This should be done after all the update section records have been processed. ? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail? * UPDATE should remove CDS and CDNSKEY records that match a DNSKEY that is being removed. This should be done after all the update section records have been processed. ? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail? * Zone loading should perform sanity checks on CDS and CDNSKEY records against the DNSKEY records. This will flow through into dnssec-checkzone and "dnssec-checkconf -z". ignore/warn/fail * rndc add the ability to say generate CDS / CDNSKEY along with a key list / all / all SEP * rndc add the ability to say remove CDS / CDNSKEY. * inline zones need to check CDS and CDNSKEY records in the raw zone and filter non matching. * CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record. This is is different to how non DNSKEY RRsets are usually signed RFC 7344, 4.1.