Comment by donavanm

Ive been out of the authoritative dns game for a while, but asi recall…

Larger providers can also get bulk zone access for TLD’s and whois/registrar data. For this use case it’s relatively easy to create a time based filter on that. Anything that’s “new” will be de facto absent from your “allow” check and create an implicit deny.

Then your large IT provider or recursive DNS system will probably layer in RPZ where they can insert explicit denies at resolution time. Either based on QNAME, RDATA, zone, etc.