diff --git a/samples/external_validation.sh b/samples/external_validation.sh
new file mode 100755
index 000000000..932e322a5
--- /dev/null
+++ b/samples/external_validation.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Copyright (C) CZ.NIC, z.s.p.o. and contributors
+# SPDX-License-Identifier: GPL-2.0-or-later
+# For more information, see <https://www.knot-dns.cz/>
+
+# This package is needed on Debian derived ditributions: libglib2.0-bin
+
+# This is an example script demonstrating Knot DNS's interface for external zone update verification.
+#
+# Expected configuration:
+#
+# server:
+#     ...
+#     dbus-event: external-verify
+#
+# external:
+#   - id: extval_example
+#     dump-removals: %s.zonediff
+#     dump-additions: %s.zonediff
+#
+# zone:
+#     ...
+#     external-validation: extval_example
+
+ZONEFILE=/var/lib/knot/%szonediff
+MAX_NS_DIFF=1000 # maximum allowed changed NS records
+
+function validate() {
+    DIFF="$1"
+    NSCOUNT=$(awk '{ if ($3 == "NS") nscount++; } END { print nscount; }' "$DIFF")
+    if [[ "$?" -gt 0 ]]; then
+        return 1
+    fi
+    if [[ "$NSCOUNT" -gt "$MAX_NS_DIFF" ]]; then
+        echo "...failed"
+        # TODO send yourself an e-mail here
+        return 1
+    fi
+    echo "...passed"
+}
+
+gdbus monitor --system --dest cz.nic.knotd --object-path /cz/nic/knotd \
+    | while read dest event args; do
+        if [[ "$dest" =~ ^/cz/nic/knotd:* && "$event" =~ \.external_verify$ ]]; then
+            ZONE=$(echo "$args" | cut -d "'" -f 2)
+            ZONEDIFF=${ZONEFILE//%s/$ZONE}
+            echo "Validating diff of zone '$ZONE' at $ZONEDIFF"
+            if validate "$ZONEDIFF"; then
+                knotc zone-commit "$ZONE"
+            else
+                knotc zone-abort "$ZONE"
+            fi
+        fi
+done