Catalog consumer failsafe mode

[klaus-nicat]

Hi all! I am thinking about catalog zones for our customers - they are the producer and we are the consumer. But I am concerned, that if the customer does something the wrong way, all his zones will be deleted immediately and all the customer zones are offline.

For example: the customer as an outage on his hidden primary, and then he re-setups his hidden primary. When he, be mistake first configures the catalog producer (but no member zones yet), the catalog AXFR will provide as with an empty catalog and our PowerDNS immediately deletes all member zones of this customer. Or to cite RFC9432: "Great power comes with great responsibility."

Honstely, this is the only reason why we do not yet offer catalog zones to customers but only use them internally.

So I wonder if we can add some safeguard feature (configureable), eg. like catalog-reject-empty=yes|no or catalog-min-members=<membercount>, so when the catalog is empty or the member count is below a certain threshold, then PowerDNS logs an error but does not consume the catalog (for real cleanup I would implement an out-of-catalog-zone mechanism). Maybe the threshold can also be configured (customers with 1mio zones would use different thresholds than customers with 1000 zones).