You don’t perform a verify if the time window is invalid. The same as you don’t perform a verify if the tag doesn’t match. Mind you it’s completely pointless to have multiple time ranges. The RRset and it’s signatures travel as pairs. All the key rollover rules depend on that.
I agree it doesn't make much sense to have two signatures with overlapping time windows but the spec allows it.
For about the hundredth time, the woy you deal with any of this is resource limits, not trying to invent new rules about stuff we might have forbidden if we'd thought of it 20 years ago.
R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
