>> > Say resolver makes 'efficient' use of cached NSEC records, which one
>> > should be returned for a query for F, for G, and for H.

>> Wouldn't the resolver return F for the query for F,

> Why is F more valid than A NSEC H ?

Well, for one thing, SIG(F) will have a newer timestamp than SIG(A
NSEC H). Second, unless A NSEC H was obtained by a query for F, the
cache should not associate A NSEC H with F. I.e., if the cache has A
NSEC H due to a query for E, it should not carry over that response
into a query for F.


Derek Atkins 617-623-3745
Computer and Internet Security Consultant

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.