Abstract The HMAC RFC by Krawczyk, Bellare and Canetti from 1997 is nowadays the de facto default pseudorandom function used in key exchange protocols. One of its most popular uses is specified in the HKDF RFC by Krawczyk from 2010---indeed, HKDF is a cornerstone of the key schedules of TLS, MLS and the Noise protocol family. However, unlike in Krawczyk's carefully outlined extract-once approach, TLS, MLS and Noise extract multiple times from the same key material. In addition, since they combine multiple keys, current key schedules consist of complex chaining of HKDFs. The choices for which context to hash are results of extended working group discussions, and the rationales are not immediate from the design.