Mark, On Thu, 2010-06-24 at 07:53 +1000, Mark Andrews wrote: > Signature life time should be greater than (RRset ttl + SOA expire) > or else you will have caches handing out RRsets that do no validate. Perhaps we should design caches that remove such RRsets, to help people who get their timings wrong? -- Shane