Assume a security-aware caching resolver receives a DNS RRset at time t0 with signatures on it that expire at time t1 (where t0 < t1), and the RRset's TTL is n. According to DNS, RRsets should be cached for the duration of the TTL and then discarded. What should a security aware resolver do if t0 + n > t1?