Paul Wouters wrote: ----- Original message ----- > RFC4034 states: > > 3.1.5. Signature Expiration and Inception Fields > > The Signature Expiration and Inception fields specify a validity > period for the signature. The RRSIG record MUST NOT be used for > authentication prior to the inception date and MUST NOT be used for > authentication after the expiration date. > > I read that as: if the record is authenticated, put it in the cache and > use it until the TTL has expired. Indeed, that makes sense. The combination of AD with expired signatures is a bit counter-intuitive to me. In this case, AD doesn't say "This response *is* valid" but "it *was* valid when it got cached". Thanks for the clarification. Hauke.