On Fri, 24 Sep 2021, Matthijs Mekking wrote:
Second, I believe the corner case you mentioned is for Figure 15 (the one in Appendix D), and I don't understand the scenario you are describing. What do you mean with "the resolver getting the DNKSEY RRset for NS_B would not contain a valid key for the DNSKEY RRset of NS_B". I think the resolver would get a new DNSKEY RRset with a pre-fetch (or if the DNSKEY RRset was expired from cache) and that would be validated with the DNSKEY from the response.
If it has a valid unexpired DNSKEY RRset, and a resolver fetches that DNSKEY RRset again, will it use the cached DNSKEY RRset or the DNSKEY RRset from the fetched record set to validate the signature against the cached DS RRset ? Or is this implementation specific? Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
