diff --git a/bin/named/config.c b/bin/named/config.c
index 61ce0a6ecc..586fd44eee 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -271,6 +271,7 @@ view \"_bind\" chaos {\n\
 	allow-new-zones no;\n\
 	max-cache-size 2M;\n\
 	provide-zoneversion no;\n\
+	check-zonemd no;\n\
 \n\
 	# Prevent use of this zone in DNS amplified reflection DoS attacks\n\
 	rate-limit {\n\
diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in
index fb76b65dc9..a207a59719 100644
--- a/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@@ -42,6 +42,7 @@ zone "." {
 	allow-transfer { any; };
 	allow-update { any; };
 	allow-query { any; };
+	check-zonemd no;
 };
 
 include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 3707a2c7c9..f305d47e4e 100644
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -284,6 +284,7 @@ zone "oldsigs.example" {
 	dnssec-policy jitter;
 	sig-signing-nodes 1000;
 	sig-signing-signatures 100;
+	check-zonemd no;
 };
 
 zone "prepub.example" {
@@ -329,6 +330,7 @@ zone "ttl4.example" {
 zone "delay.example" {
 	type primary;
 	file "delay.example.db";
+	check-zonemd no;
 };
 
 zone "nozsk.example" {
@@ -337,6 +339,7 @@ zone "nozsk.example" {
 	allow-update { any; };
 	inline-signing no;
 	dnssec-policy autosign;
+	check-zonemd no;
 };
 
 zone "inaczsk.example" {
@@ -345,6 +348,7 @@ zone "inaczsk.example" {
 	allow-update { any; };
 	inline-signing no;
 	dnssec-policy autosign;
+	check-zonemd no;
 };
 
 zone "noksk.example" {
@@ -353,6 +357,7 @@ zone "noksk.example" {
 	allow-update { any; };
 	inline-signing no;
 	dnssec-policy autosign;
+	check-zonemd no;
 };
 
 zone "sync.example" {
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 298de9196c..88f524f95f 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -261,7 +261,7 @@ now="$(TZ=UTC date +%Y%m%d%H%M%S)"
 check_expiry() (
   $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n || return 1
   nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' <dig.out.test$n | sort -n | head -1)"
-  if [ "$nearest_expiration" -le "$now" ]; then
+  if [ -z "$nearest_expiration" -o "$nearest_expiration" -le "$now" ]; then
     echo_i "failed: $nearest_expiration <= $now"
     return 1
   fi
diff --git a/bin/tests/system/camp/ns1/named.conf.j2 b/bin/tests/system/camp/ns1/named.conf.j2
index 208a651b0c..48bf2604bf 100644
--- a/bin/tests/system/camp/ns1/named.conf.j2
+++ b/bin/tests/system/camp/ns1/named.conf.j2
@@ -28,4 +28,5 @@ options {
 zone "." {
 	type primary;
 	file "root.db";
+	check-zonemd no;
 };
diff --git a/bin/tests/system/dnssec/ns2/named.conf.j2 b/bin/tests/system/dnssec/ns2/named.conf.j2
index 093aba3120..22c0c92366 100644
--- a/bin/tests/system/dnssec/ns2/named.conf.j2
+++ b/bin/tests/system/dnssec/ns2/named.conf.j2
@@ -227,6 +227,7 @@ zone "peer.peer-ns-spoof" {
 zone "dnskey-rrsigs-stripped" {
 	type primary;
 	file "dnskey-rrsigs-stripped.db.signed";
+	check-zonemd no;
 };
 
 zone "ds-rrsigs-stripped" {
diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2
index 6c9e18976c..43dc5908e6 100644
--- a/bin/tests/system/dnssec/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec/ns3/named.conf.j2
@@ -190,17 +190,23 @@ zone "nsec3-unknown.example" {
 	type primary;
 	nsec3-test-zone yes;
 	file "nsec3-unknown.example.db.signed";
+	check-zonemd no;
 };
 
 zone "optout-unknown.example" {
 	type primary;
 	nsec3-test-zone yes;
 	file "optout-unknown.example.db.signed";
+	check-zonemd no;
 };
 
 zone "dnskey-unknown.example" {
 	type primary;
 	file "dnskey-unknown.example.db.signed";
+	/*
+	 * ZONEMD: self validation failure SOA and DNSKEY
+	 */
+	check-zonemd no;
 };
 
 zone "digest-alg-unsupported.example" {
@@ -218,6 +224,10 @@ zone "ds-unsupported.example" {
 zone "dnskey-unsupported.example" {
 	type primary;
 	file "dnskey-unsupported.example.db.signed";
+	/*
+	 * ZONEMD: self validation failure SOA and DNSKEY
+	 */
+	check-zonemd no;
 };
 
 zone "dnskey-unsupported-2.example" {
@@ -229,6 +239,7 @@ zone "dnskey-nsec3-unknown.example" {
 	type primary;
 	nsec3-test-zone yes;
 	file "dnskey-nsec3-unknown.example.db.signed";
+	check-zonemd no;
 };
 
 zone "multiple.example" {
@@ -262,6 +273,7 @@ zone "expired.example" {
 	type primary;
 	allow-update { none; };
 	file "expired.example.db.signed";
+	check-zonemd no; /* signatures are expired */
 };
 
 zone "update-nsec3.example" {
@@ -342,12 +354,17 @@ zone "inline.example" {
 zone "future.example" {
 	type primary;
 	file "future.example.db.signed";
+	check-zonemd no;
 };
 
 zone "managed-future.example" {
 	type primary;
 	file "managed-future.example.db.signed";
 	allow-update { any; };
+	/*
+	 * ZONEMD: self validation failure SOA and DNSKEY
+	 */
+	check-zonemd no;
 };
 
 zone "revkey.example" {
@@ -383,11 +400,17 @@ zone "enabled.managed" {
 zone "unsupported.managed" {
 	type primary;
 	file "unsupported.managed.db.signed";
+	/*
+	 * ZONEMD: self validation failure SOA and DNSKEY
+	 */
+	check-zonemd no;
 };
 
 zone "revoked.managed" {
 	type primary;
 	file "revoked.managed.db.signed";
+	/* Only a revoked key in the zone. */
+	check-zonemd no;
 };
 
 zone "secure.trusted" {
@@ -408,11 +431,17 @@ zone "enabled.trusted" {
 zone "unsupported.trusted" {
 	type primary;
 	file "unsupported.trusted.db.signed";
+	/*
+	 * ZONEMD: self validation failure SOA and DNSKEY
+	 */
+	check-zonemd no;
 };
 
 zone "revoked.trusted" {
 	type primary;
 	file "revoked.trusted.db.signed";
+	/* Only a revoked key in the zone. */
+	check-zonemd no;
 };
 
 zone "too-many-iterations" {
@@ -459,6 +488,7 @@ zone "extradsoid.example" {
 zone "extradsunknownoid.example" {
         type primary;
         file "extradsunknownoid.example.db.signed";
+	check-zonemd no; /* no supported algorithm */
 };
 
 zone "extended-ds-unknown-oid.example" {
diff --git a/bin/tests/system/dnssec/ns6/named.conf.j2 b/bin/tests/system/dnssec/ns6/named.conf.j2
index c3c0da6e44..75e9d2ee8c 100644
--- a/bin/tests/system/dnssec/ns6/named.conf.j2
+++ b/bin/tests/system/dnssec/ns6/named.conf.j2
@@ -46,6 +46,7 @@ zone "split-rrsig" {
 	type primary;
 	file "split-rrsig.db.signed";
 	allow-update { any; };
+	check-zonemd no; /* signatures are expired */
 };
 
 include "trusted.conf";
diff --git a/bin/tests/system/mirror/ns1/named.conf.in b/bin/tests/system/mirror/ns1/named.conf.in
index 32f6d2e29c..c6048f39b6 100644
--- a/bin/tests/system/mirror/ns1/named.conf.in
+++ b/bin/tests/system/mirror/ns1/named.conf.in
@@ -27,4 +27,5 @@ options {
 zone "." {
 	type primary;
 	file "root.db.signed";
+	check-zonemd no;
 };
diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in
index 57261bfc07..c3a2f53796 100644
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -57,6 +57,7 @@ zone "verify-addzone" {
 zone "verify-axfr" {
 	type primary;
 	file "verify-axfr.db.signed";
+	check-zonemd no;
 };
 
 zone "verify-csk" {
@@ -69,6 +70,7 @@ zone "verify-ixfr" {
 	file "verify-ixfr.db.signed";
 	ixfr-from-differences yes;
 	allow-transfer { 10.53.0.3; };
+	check-zonemd no;
 };
 
 zone "verify-reconfig" {
diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in
index 3d494df796..200c03499a 100644
--- a/bin/tests/system/mirror/ns3/named.conf.in
+++ b/bin/tests/system/mirror/ns3/named.conf.in
@@ -33,6 +33,7 @@ options {
 	trust-anchor-telemetry yes;
 	allow-new-zones yes;
 	dnssec-validation yes;
+	check-zonemd no;
 };
 
 zone "." {
diff --git a/bin/tests/system/nsupdate/ns3/zonemd.test.db.in b/bin/tests/system/nsupdate/ns3/zonemd.test.db.in
index b856ededb0..fb7bbe1f46 100644
--- a/bin/tests/system/nsupdate/ns3/zonemd.test.db.in
+++ b/bin/tests/system/nsupdate/ns3/zonemd.test.db.in
@@ -10,6 +10,8 @@
 ; information regarding copyright ownership.
 
 $TTL 10
-zonemd.test. IN SOA zonemd.test. hostmaster.zonemd.test. 1 3600 900 2419200 3600
-zonemd.test. IN NS zonemd.test.
-zonemd.test. IN A 10.53.0.3
+zonemd.test. IN SOA ns3.zonemd.test. hostmaster.zonemd.test. 1 3600 900 2419200 3600
+zonemd.test. IN NS ns3.zonemd.test.
+zonemd.test. IN NS ns5.zonemd.test.
+ns3.zonemd.test. IN A 10.53.0.3
+ns5.zonemd.test. IN A 10.53.0.5
diff --git a/bin/tests/system/nsupdate/ns5/named.conf.in b/bin/tests/system/nsupdate/ns5/named.conf.in
index 223abd925e..04c812c4b0 100644
--- a/bin/tests/system/nsupdate/ns5/named.conf.in
+++ b/bin/tests/system/nsupdate/ns5/named.conf.in
@@ -40,3 +40,15 @@ zone "local.nil" {
 	file "local.db";
 	update-policy local;
 };
+
+zone "zonemd.test" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "zonemd.test.bk";
+};
+
+zone "zonemd-nsec3.test" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "zonemd-nsec3.test.bk";
+};
diff --git a/bin/tests/system/redirect/ns5/named.conf.in b/bin/tests/system/redirect/ns5/named.conf.in
index 2513a45138..1a65a6dada 100644
--- a/bin/tests/system/redirect/ns5/named.conf.in
+++ b/bin/tests/system/redirect/ns5/named.conf.in
@@ -22,12 +22,12 @@ options {
 };
 
 zone "." {
-        type primary;
-        file "root.db.signed";
+	type primary;
+	file "root.db.signed";
 };
 
 // An unsigned zone that ns6 has a delegation for.
 zone "unsigned." {
-        type primary;
-        file "unsigned.db";
+	type primary;
+	file "unsigned.db";
 };
diff --git a/bin/tests/system/redirect/ns6/named.conf.in b/bin/tests/system/redirect/ns6/named.conf.in
index dee2bcf51e..28e5371de1 100644
--- a/bin/tests/system/redirect/ns6/named.conf.in
+++ b/bin/tests/system/redirect/ns6/named.conf.in
@@ -22,12 +22,12 @@ options {
 };
 
 zone "." {
-        type primary;
-        file "root.db";
+	type primary;
+	file "root.db";
 };
 
 // A signed zone that ns5 has a delegation for.
 zone "signed." {
-        type primary;
-        file "signed.db.signed";
+	type primary;
+	file "signed.db.signed";
 };
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 8d716dd25a..46b27046f8 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2619,21 +2619,40 @@ dns_zone_isloaded(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver);
+dns_zone_checkzonemd(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver);
 /*%<
- * If 'zone' is a mirror zone, perform DNSSEC validation of version 'ver' of
- * its database, 'db'.  Ensure that the DNSKEY RRset at zone apex is signed by
- * at least one trust anchor specified for the view that 'zone' is assigned to.
- * If 'ver' is NULL, use the current version of 'db'.
- *
- * If 'zone' is not a mirror zone, return ISC_R_SUCCESS immediately.
+ * Check that version 'ver' of a zone's database 'db' either contains a
+ * ZONEMD record which is a valid hash of contents of the database, or
+ * is not required to contain one.
  *
  * Returns:
  *
- * \li	#ISC_R_SUCCESS		either 'zone' is not a mirror zone or 'zone' is
- *				a mirror zone and all DNSSEC checks succeeded
- *				and the DNSKEY RRset at zone apex is signed by
- *				a trusted key
+ * \li	#ISC_R_SUCCESS		a ZONEMD is present at the zone apex,
+ * 				which is validly signed by a trusted key
+ *
+ * \li	#ISC_R_NOTFOUND		a ZONEMD record is not present at the
+ * 				zone apex, but is not required
+ *
+ * \li	#DNS_R_BADZONE		a ZONEMD record was required but
+ * 				was not present, was not validly
+ * 				signed, was not signed by a trusted
+ * 				key, etc.
+ */
+
+isc_result_t
+dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver);
+/*%<
+ * Perform DNSSEC validation of version 'ver' of a zone database, 'db'.
+ * Ensure that the DNSKEY RRset at zone apex is signed by at least one
+ * trust anchor specified for the view that 'zone' is assigned to.
+ * If 'ver' is NULL, use the current version of 'db'.
+ *
+ * This is meant to be used for mirror zones.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS		all DNSSEC checks succeeded, and the DNSKEY
+ *				RRset at zone apex is signed by a trusted key
  *
  * \li	#DNS_R_VERIFYFAILURE	any other case
  */
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 132df2aa08..c6e3460e09 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -373,6 +373,20 @@ axfr_apply(void *arg) {
 		}
 	}
 
+	if (xfr->diff_running) {
+		/* This is offloaded. */
+		result = dns_zone_checkzonemd(xfr->zone, xfr->db, xfr->ver);
+		if (result == DNS_R_BADZONE) {
+			goto failure;
+		}
+		if (result != ISC_R_SUCCESS &&
+		    dns_zone_gettype(xfr->zone) == dns_zone_mirror)
+		{
+			CHECK(dns_zone_verifydb(xfr->zone, xfr->db, xfr->ver));
+		}
+	}
+	result = ISC_R_SUCCESS;
+
 failure:
 	dns_diff_clear(&xfr->diff);
 	work->result = result;
@@ -393,7 +407,6 @@ axfr_apply_done(void *arg) {
 
 	if (result == ISC_R_SUCCESS) {
 		CHECK(dns_db_endload(xfr->db, &xfr->axfr));
-		CHECK(dns_zone_verifydb(xfr->zone, xfr->db, NULL));
 		CHECK(axfr_finalize(xfr));
 	} else {
 		(void)dns_db_endload(xfr->db, &xfr->axfr);
@@ -512,7 +525,16 @@ static isc_result_t
 ixfr_end_transaction(dns_xfrin_t *xfr) {
 	isc_result_t result = ISC_R_SUCCESS;
 
-	CHECK(dns_zone_verifydb(xfr->zone, xfr->db, xfr->ver));
+	/* This is offloaded. */
+	result = dns_zone_checkzonemd(xfr->zone, xfr->db, xfr->ver);
+	if (result == DNS_R_BADZONE) {
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS &&
+	    dns_zone_gettype(xfr->zone) == dns_zone_mirror)
+	{
+		CHECK(dns_zone_verifydb(xfr->zone, xfr->db, xfr->ver));
+	}
 	/* XXX enter ready-to-commit state here */
 	if (xfr->ixfr.journal != NULL) {
 		CHECK(dns_journal_commit(xfr->ixfr.journal));
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 7277d9849e..cae04160a4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -91,6 +91,7 @@
 #include <dns/update.h>
 #include <dns/xfrin.h>
 #include <dns/zone.h>
+#include <dns/zonemd.h>
 #include <dns/zoneverify.h>
 #include <dns/zt.h>
 
@@ -5196,6 +5197,523 @@ failure:
 	return result;
 }
 
+static bool
+signed_by_dnskey(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *dnskeyset,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	bool answer = false;
+	bool ignoretime = (zone->type == dns_zone_primary) &&
+			  !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEMD_NOEXPIRED);
+
+	/*
+	 * If rdataset is not associated there is nothing to verify.
+	 */
+	if (!dns_rdataset_isassociated(rdataset)) {
+		return false;
+	}
+
+	if (dns_rdataset_isassociated(dnskeyset) &&
+	    dns_rdataset_isassociated(sigrdataset))
+	{
+		DNS_RDATASET_FOREACH(dnskeyset) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(dnskeyset, &rdata);
+			if (dns_dnssec_signs(&rdata, name, rdataset,
+					     sigrdataset, ignoretime,
+					     zone->mctx))
+			{
+				answer = true;
+				break;
+			}
+		}
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "signed_by_dnskey(%u) -> %s",
+		     rdataset->type, answer ? "true" : "false");
+	return answer;
+}
+
+static bool
+self_signed(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *dsset,
+	    dns_rdataset_t *dnskeyset, dns_rdataset_t *sigrdataset) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_rdataset_t *rdataset = dnskeyset;
+	bool answer = false;
+	bool ignoretime = (zone->type == dns_zone_primary) &&
+			  !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEMD_NOEXPIRED);
+	dst_key_t *key = NULL;
+
+	if (!dns_rdataset_isassociated(dnskeyset) ||
+	    !dns_rdataset_isassociated(sigrdataset))
+	{
+		goto failure;
+	}
+
+	DNS_RDATASET_FOREACH(dnskeyset) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(dnskeyset, &rdata);
+		if (dns_dnssec_signs(&rdata, name, rdataset, sigrdataset,
+				     ignoretime, zone->mctx))
+		{
+			if (dsset == NULL) {
+				/*
+				 * There isn't a trust achor to
+				 * check against so we are done.
+				 */
+				answer = true;
+				goto failure;
+			}
+
+			CHECK(dns_dnssec_keyfromrdata(name, &rdata, zone->mctx,
+						      &key));
+
+			DNS_RDATASET_FOREACH(dsset) {
+				dns_rdata_t dsrdata = DNS_RDATA_INIT;
+				dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+				unsigned char buf[DNS_DS_BUFFERSIZE];
+				dns_rdata_ds_t ds;
+
+				dns_rdata_reset(&dsrdata);
+				dns_rdataset_current(dsset, &dsrdata);
+				(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+				if (ds.key_tag != dst_key_id(key) ||
+				    ds.algorithm != dst_key_alg(key))
+				{
+					continue;
+				}
+
+				result = dns_ds_buildrdata(
+					name, &rdata, ds.digest_type, buf,
+					sizeof(buf), &newdsrdata);
+				if (result != ISC_R_SUCCESS) {
+					continue;
+				}
+
+				if (dns_rdata_compare(&dsrdata, &newdsrdata) ==
+				    0)
+				{
+					dst_key_free(&key);
+					answer = true;
+					goto failure;
+				}
+			}
+
+			dst_key_free(&key);
+		}
+	}
+
+failure:
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "self_signed(%u) -> %s",
+		     rdataset->type, answer ? "true" : "false");
+	return answer;
+}
+
+static bool
+haszonemdbit(dns_rdataset_t *set) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	result = dns_rdataset_first(set);
+	if (result != ISC_R_SUCCESS) {
+		/* fail true */
+		return true;
+	}
+	dns_rdataset_current(set, &rdata);
+	if (set->type == dns_rdatatype_nsec) {
+		return dns_nsec_typepresent(&rdata, dns_rdatatype_zonemd);
+	} else {
+		return dns_nsec3_typepresent(&rdata, dns_rdatatype_zonemd);
+	}
+}
+
+static isc_result_t
+find_origin_nsec3(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
+		  dns_dbversion_t *version, bool *nsec3paramflagsok,
+		  dns_rdataset_t *nsec3paramset,
+		  dns_rdataset_t *signsec3paramset, dns_fixedname_t *fnsec3name,
+		  dns_dbnode_t **nsec3node, dns_rdataset_t *nsec3set,
+		  dns_rdataset_t *signsec3set) {
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	size_t hashlen = sizeof(hash);
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+
+	result = dns_db_findrdataset(
+		db, node, version, dns_rdatatype_nsec3param, dns_rdatatype_none,
+		0, nsec3paramset, signsec3paramset);
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_db_findrdataset(%u) -> %s",
+		     dns_rdatatype_nsec3param, isc_result_totext(result));
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = dns_rdataset_first(nsec3paramset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(nsec3paramset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if (nsec3param.flags == 0) {
+			*nsec3paramflagsok = true;
+			break;
+		}
+		result = dns_rdataset_next(nsec3paramset);
+	}
+	CHECK((result == ISC_R_NOMORE) ? ISC_R_NOTFOUND : result);
+	CHECK(dns_nsec3_hashname(fnsec3name, hash, &hashlen, &zone->origin,
+				 &zone->origin, nsec3param.hash,
+				 nsec3param.iterations, nsec3param.salt,
+				 nsec3param.salt_length));
+	CHECK(dns_db_findnsec3node(db, dns_fixedname_name(fnsec3name), false,
+				   nsec3node));
+	/* lookup NSEC3 record */
+	result = dns_db_findrdataset(db, *nsec3node, version,
+				     dns_rdatatype_nsec3, dns_rdatatype_none, 0,
+				     nsec3set, signsec3set);
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_db_findrdataset(%u) -> %s",
+		     dns_rdatatype_nsec3, isc_result_totext(result));
+failure:
+	return result;
+}
+
+isc_result_t
+dns_zone_checkzonemd(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
+	enum { unknown = 0, good = 1, bad = 2 } found[256] = { unknown };
+	bool nsec3paramflagsok = false;
+	isc_result_t result;
+	dns_keynode_t *keynode = NULL;
+	dns_keytable_t *secroots = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbnode_t *nsec3node = NULL;
+	dns_fixedname_t fnsec3name;
+	dns_name_t *origin;
+	dns_name_t *nsec3name = dns_fixedname_initname(&fnsec3name);
+	dns_rdata_soa_t soa;
+	dns_rdata_t soardata = DNS_RDATA_INIT;
+	dns_rdataset_t dsset = DNS_RDATASET_INIT, *dssetp = NULL;
+	dns_rdataset_t dnskeyset = DNS_RDATASET_INIT,
+		       sigdnskeyset = DNS_RDATASET_INIT;
+	dns_rdataset_t nsec3paramset = DNS_RDATASET_INIT,
+		       signsec3paramset = DNS_RDATASET_INIT;
+	dns_rdataset_t nsec3set = DNS_RDATASET_INIT,
+		       signsec3set = DNS_RDATASET_INIT;
+	dns_rdataset_t nsecset = DNS_RDATASET_INIT,
+		       signsecset = DNS_RDATASET_INIT;
+	dns_rdataset_t soaset = DNS_RDATASET_INIT,
+		       sigsoaset = DNS_RDATASET_INIT;
+	dns_rdataset_t zonemdset = DNS_RDATASET_INIT,
+		       sigzonemdset = DNS_RDATASET_INIT;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(db != NULL);
+
+	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEMD_CHECK)) {
+		return ISC_R_NOTFOUND;
+	}
+
+	origin = &zone->origin;
+
+	if (zone->view != NULL) {
+		result = dns_view_getsecroots(zone->view, &secroots);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_keytable_find(secroots, origin, &keynode);
+		}
+		if (result == ISC_R_SUCCESS) {
+			if (dns_keynode_dsset(keynode, &dsset)) {
+				dssetp = &dsset;
+			}
+		}
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "in zone_checkzonemd");
+
+	CHECK(dns_db_findnode(db, &zone->origin, false, &node));
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &soaset,
+				     &sigsoaset);
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_db_findrdataset(%u) -> %s",
+		     dns_rdatatype_soa, isc_result_totext(result));
+	CHECK((result == ISC_R_NOTFOUND) ? DNS_R_BADZONE : result);
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &dnskeyset,
+				     &sigdnskeyset);
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_db_findrdataset(%u) -> %s",
+		     dns_rdatatype_dnskey, isc_result_totext(result));
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_zonemd,
+				     dns_rdatatype_none, 0, &zonemdset,
+				     &sigzonemdset);
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_db_findrdataset(%u) -> %s",
+		     dns_rdatatype_zonemd, isc_result_totext(result));
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	/*
+	 * Look for proofs that the zone is fully signed (NSEC or NSEC3PARAM)
+	 * at apex and that ZONEMD does not exist (apex NSEC/NSEC3),
+	 */
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
+				     dns_rdatatype_none, 0, &nsecset,
+				     &signsecset);
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_db_findrdataset(%u) -> %s",
+		     dns_rdatatype_nsec, isc_result_totext(result));
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+	if (result == ISC_R_NOTFOUND) {
+		result = find_origin_nsec3(zone, db, node, version,
+					   &nsec3paramflagsok, &nsec3paramset,
+					   &signsec3paramset, &fnsec3name,
+					   &nsec3node, &nsec3set, &signsec3set);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			goto failure;
+		}
+	}
+
+	/*
+	 * The zone is signed, check that zonemdset is
+	 * correctly signed, or that it doesn't exist and
+	 * that its nonexistence is not an error.
+	 *
+	 * For a zone to be deemed signed, DNSKEY and one of
+	 * NSEC or NSEC3PARAM (with 0 flags) need to exist.
+	 */
+	if (dns_rdataset_isassociated(&dnskeyset) &&
+	    (dns_rdataset_isassociated(&nsecset) ||
+	     (dns_rdataset_isassociated(&nsec3paramset) && nsec3paramflagsok)))
+	{
+		if (!self_signed(zone, origin, dssetp, &dnskeyset,
+				 &sigdnskeyset))
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "ZONEMD: self validation failure DNSKEY");
+			CHECK(DNS_R_BADZONE);
+		}
+
+		if (!signed_by_dnskey(zone, origin, &dnskeyset, &soaset,
+				      &sigsoaset))
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "ZONEMD: self validation failure SOA");
+			CHECK(DNS_R_BADZONE);
+		}
+
+		if (!dns_rdataset_isassociated(&zonemdset)) {
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEMD_REQUIRED))
+			{
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "ZONEMD required but not present");
+				CHECK(DNS_R_BADZONE);
+			}
+
+			if (signed_by_dnskey(zone, origin, &dnskeyset, &nsecset,
+					     &signsecset) &&
+			    !haszonemdbit(&nsecset))
+			{
+				CHECK(ISC_R_NOTFOUND);
+			}
+
+			if (signed_by_dnskey(zone, nsec3name, &dnskeyset,
+					     &nsec3set, &signsec3set) &&
+			    signed_by_dnskey(zone, origin, &dnskeyset,
+					     &nsec3paramset,
+					     &signsec3paramset) &&
+			    !haszonemdbit(&nsec3set))
+			{
+				CHECK(ISC_R_NOTFOUND);
+			}
+
+			/*
+			 * A validly signed NSEC/NSEC3 indicated that
+			 * ZONEMD should be here, but it isn't.
+			 */
+			CHECK(DNS_R_BADZONE);
+		} else if (!signed_by_dnskey(zone, origin, &dnskeyset,
+					     &zonemdset, &sigzonemdset))
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "ZONEMD validation failed");
+			CHECK(DNS_R_BADZONE);
+		}
+	} else {
+		if (dssetp != NULL) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "zone at a trust anchor should be signed "
+				     "but isn't");
+			CHECK(DNS_R_BADZONE);
+		}
+
+		if (dns_rdataset_isassociated(&zonemdset)) {
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEMD_DNSSEC)) {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "ZONEMD found but zone unsigned");
+				CHECK(DNS_R_BADZONE);
+			}
+
+			/* Unsigned ZONEMD is okay */
+		} else {
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEMD_REQUIRED))
+			{
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "ZONEMD required but not present");
+				CHECK(DNS_R_BADZONE);
+			}
+
+			CHECK(ISC_R_NOTFOUND);
+		}
+	}
+
+	/*
+	 * Check the ZONEMD records.
+	 */
+	CHECK(dns_rdataset_first(&soaset));
+	dns_rdataset_current(&soaset, &soardata);
+	CHECK(dns_rdata_tostruct(&soardata, &soa, NULL));
+
+	uint32_t max_digest = 0;
+	DNS_RDATASET_FOREACH(&zonemdset) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&zonemdset, &rdata);
+		if (dns_zonemd_supported(&rdata)) {
+			dns_rdata_zonemd_t zonemd;
+			dns_rdata_t check = DNS_RDATA_INIT;
+			unsigned char buf[DNS_ZONEMD_BUFFERSIZE];
+
+			(void)dns_rdata_tostruct(&rdata, &zonemd, NULL);
+
+			if (zonemd.digest_type > max_digest) {
+				max_digest = zonemd.digest_type;
+			}
+
+			if (soa.serial != zonemd.serial) {
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "zonemd serial mismatch: soa=%u "
+					     "zonemd=%u",
+					     soa.serial, zonemd.serial);
+				found[zonemd.digest_type] = bad;
+				continue;
+			}
+
+			if (found[zonemd.digest_type] != unknown) {
+				if (found[zonemd.digest_type] == good) {
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "zonemd duplicate: digest "
+						     "type=%u",
+						     zonemd.digest_type);
+					found[zonemd.digest_type] = bad;
+				}
+			} else {
+				CHECK(dns_zonemd_buildrdata(
+					&check, db, version, zonemd.scheme,
+					zonemd.digest_type, zone->mctx, buf,
+					sizeof(buf)));
+				if (dns_rdata_compare(&check, &rdata) != 0) {
+					char tbuf[256];
+					isc_buffer_t b;
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "zonemd digest type=%u "
+						     "dns_rdata_compare != 0",
+						     zonemd.digest_type);
+					found[zonemd.digest_type] = bad;
+					if (!isc_log_wouldlog(
+						    ISC_LOG_DEBUG(99)))
+					{
+						continue;
+					}
+					isc_buffer_init(&b, tbuf, sizeof(tbuf));
+					(void)dns_rdata_totext(&check, NULL,
+							       &b);
+					dns_zone_log(
+						zone, ISC_LOG_DEBUG(99),
+						"zonemd built: %.*s",
+						(int)isc_buffer_usedlength(&b),
+						tbuf);
+					isc_buffer_init(&b, tbuf, sizeof(tbuf));
+					(void)dns_rdata_totext(&rdata, NULL,
+							       &b);
+					dns_zone_log(
+						zone, ISC_LOG_DEBUG(99),
+						"zonemd found: %.*s",
+						(int)isc_buffer_usedlength(&b),
+						tbuf);
+				} else {
+					found[zonemd.digest_type] = good;
+				}
+			}
+		}
+	}
+
+	result = DNS_R_BADZONE;
+	for (size_t i = 0; i <= max_digest; i++) {
+		if (found[i] == good) {
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&dsset)) {
+		dns_rdataset_disassociate(&dsset);
+	}
+	if (dns_rdataset_isassociated(&soaset)) {
+		dns_rdataset_disassociate(&soaset);
+	}
+	if (dns_rdataset_isassociated(&sigsoaset)) {
+		dns_rdataset_disassociate(&sigsoaset);
+	}
+	if (dns_rdataset_isassociated(&nsecset)) {
+		dns_rdataset_disassociate(&nsecset);
+	}
+	if (dns_rdataset_isassociated(&signsecset)) {
+		dns_rdataset_disassociate(&signsecset);
+	}
+	if (dns_rdataset_isassociated(&nsec3set)) {
+		dns_rdataset_disassociate(&nsec3set);
+	}
+	if (dns_rdataset_isassociated(&signsec3set)) {
+		dns_rdataset_disassociate(&signsec3set);
+	}
+	if (dns_rdataset_isassociated(&dnskeyset)) {
+		dns_rdataset_disassociate(&dnskeyset);
+	}
+	if (dns_rdataset_isassociated(&sigdnskeyset)) {
+		dns_rdataset_disassociate(&sigdnskeyset);
+	}
+	if (dns_rdataset_isassociated(&zonemdset)) {
+		dns_rdataset_disassociate(&zonemdset);
+	}
+	if (dns_rdataset_isassociated(&sigzonemdset)) {
+		dns_rdataset_disassociate(&sigzonemdset);
+	}
+	if (dns_rdataset_isassociated(&nsec3paramset)) {
+		dns_rdataset_disassociate(&nsec3paramset);
+	}
+	if (dns_rdataset_isassociated(&signsec3paramset)) {
+		dns_rdataset_disassociate(&signsec3paramset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(&node);
+	}
+	if (nsec3node != NULL) {
+		dns_db_detachnode(&nsec3node);
+	}
+	if (keynode != NULL) {
+		dns_keynode_detach(&keynode);
+	}
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_zone_checkzonemd -> %s",
+		     isc_result_totext(result));
+	return result;
+}
+
 /*
  * The zone is presumed to be locked.
  * If this is a inline_raw zone the secure version is also locked.
@@ -5383,10 +5901,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	 */
 
 	switch (zone->type) {
+	case dns_zone_mirror:
+		dns_zone_setoption(zone, DNS_ZONEOPT_ZONEMD_DNSSEC, true);
+		FALLTHROUGH;
+
 	case dns_zone_dlz:
 	case dns_zone_primary:
 	case dns_zone_secondary:
-	case dns_zone_mirror:
 	case dns_zone_stub:
 	case dns_zone_redirect:
 		if (soacount != 1) {
@@ -5449,11 +5970,18 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			goto cleanup;
 		}
 
-		result = dns_zone_verifydb(zone, db, NULL);
-		if (result != ISC_R_SUCCESS) {
+		result = dns_zone_checkzonemd(zone, db, NULL);
+		if (result == DNS_R_BADZONE) {
 			goto cleanup;
 		}
 
+		if (result != ISC_R_SUCCESS && zone->type == dns_zone_mirror) {
+			result = dns_zone_verifydb(zone, db, NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+
 		if (zone->db != NULL) {
 			unsigned int oldsoacount;
 
@@ -24526,10 +25054,6 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
 
 	ENTER;
 
-	if (dns_zone_gettype(zone) != dns_zone_mirror) {
-		return ISC_R_SUCCESS;
-	}
-
 	if (ver == NULL) {
 		dns_db_currentversion(db, &version);
 	} else {