You don’t perform a verify if the time window is invalid. The same as you don’t perform a verify if the tag doesn’t match. Mind you it’s completely pointless to have multiple time ranges. The RRset and it’s signatures travel as pairs. All the key rollover rules depend on that.
-- Mark Andrews > On 2 Mar 2024, at 06:43, John R Levine <jo...@taugh.com> wrote: > > >> >>> Remember that the keytags are just a hint to limit the number of keys >>> you need to check for each signature. If I have a zone with 300 >>> signatures per key, it's still going to take a while to check them all >>> even with no duplicate tags. It won't be as bad as the quadratic >>> keytrap but it'll still be annoying. >> >> If key tags are unique, then a validator can just discard anything that >> has multiple signatures with the same key tag. > > No, that's not how it works. The signatures might have different time ranges > or otherwise be different but still plausibly valid. Please review RFCs 4034 > and 4035. > > R's, > John > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
