Suppose I receive a response containing an RRSET with records with ttl=3600, signed with an RRSIG that has an expiration timestamp 60 seconds from now.
After validating the signature, can I cache the RRSET for 3600 seconds, or only for 60 seconds? If the former, and the RRSET is a DNSKEY, can I rely on it to validate other RRSIGs for the entire 3600 seconds? -Nick Johnson
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
