On 19 sep 2013, at 19:32, Joe Abley <[email protected]> wrote:
> Validating resolvers will drop an RRSIG from a cache and re-fetch if the
> local clock has ticked past the expiration timer specified in the
> corresponding RRSIG RDATA field.
I would not "might drop", not "will drop". The specification is not strict on
this and even though refetching may be the sane thing to do, I can imagine
validating resolvers just returning bogus if the (expired) signature in the
cache does not validate the associated cached data.
jakob
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
