Does anyone know if DNSSEC-validating recursive resolvers will retry (fetch new records) if their cached DNSSEC-related records (e.g. DS) are a certain age and they are seeing a validating error?
If they would, problems could autocorrect faster (than waiting out a TTL of 1 day). It could cause higher load on name servers, but at first glance it seems like a reasonable trade off.
Page 50 of the report says that some (unnamed) resolvers do this, and “we think this [..] is a very good implementation feature to reduce the impact of mistakes”, but that it’s “definitely not universally implemented”.
If they would, problems could autocorrect faster (than waiting out a TTL of 1 day). It could cause higher load on name servers, but at first glance it seems like a reasonable trade off.