[Unbound-users] Expired signature accepted?
wouter at NLnetLabs.nl
Fri Oct 16 08:21:54 UTC 2009
On 10/16/2009 09:28 AM, Stephane Bortzmeyer wrote:
> keltia.net is signed, is in DLV an the signatures are expired since yesterday.
> Yet, Unbound 1.3.2 accepts it and flags it as authentic:
24 hour signature skew, default allowed to allow for time-zone
misconfigurations. Config val-sig-skew-min and val-sig-skew-max.
Unbound allows a skew of max10% of the signature TTL, that value
must be between 1 hour and 24 hours (see config items to change).
More information about the Unbound-users