1. validate module must be between iterate/cache
2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
3. resolve.c: subrequest DNSKEY if asked to do it
4. consume: check DNSKEY and set it, validate RRSIGs against it

another issues:

rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)

since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)