Dirkjan Ochtman

FYI, I started hacking on this a little bit today.

> replace the use of `DnsHandle` to interface with `DnssecDnsHandle` This feels like the right solution to me at least in terms of the library API. I think the question...

A quick web search turns up this [documentation](https://doc.powerdns.com/recursor/dnssec.html) from PowerDNS. Describing its default `process` mode: > When [dnssec.validation](https://doc.powerdns.com/recursor/yamlsettings.html#setting-yaml-dnssec-validation) is set to process the behaviour is similar to [process-no-validate](https://doc.powerdns.com/recursor/dnssec.html#process-no-validate). However, the...

I suppose 2535 has been declared obsolete in favor of 4035. [Section 3.1.6](https://www.rfc-editor.org/rfc/rfc4035#section-3.1): > A security-aware name server MUST NOT set the AD bit in a response unless the name...

* I guess renaming `PacketKeySet` to just `PacketKeys` might be more consistent. * `DirectionalKeys` includes keys in one direction only. 0-RTT keys is directional because we only need client-to-server keys....

> It seems like the client needs one "sealing key" for sending 0-RTT data and the server needs one "opening key" for receiving 0-RTT data. Correct. > Naively I would...

I implemented separate sealing/opening keys and masking/unmasking keys, see here: https://github.com/djc/rustls/compare/quic-api...quic-split-api One issue with this is how we return the 0-RTT keys to the caller. I used associated types for...

@LiquidityC please confirm that you are okay with an advisory being published for your crate. Also, are you planning to fix these issues? If that is planned for the short...

@GeorgeAndrou can you add something like this to the advisory at the end: > Unfortunately, the maintainer doesn't have much availability to resolve these issues so there's no concrete timeline...

Feel free to submit a PR.