[Unbound-users] Expired RRSIGs, yet still "AD" flag set
Hauke Lampe
lampe at hauke-lampe.de
Wed Mar 30 12:52:45 UTC 2011
On 30.03.2011 14:44, Stephane Bortzmeyer wrote:
> What is your value of val-sig-skew-min and val-sig-skew-max? By
> default, Unbound allows expired signatures for 10 % of their validity
> period.
They're still at their default values:
# The signature inception and expiration dates are allowed to be off
# by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
val-sig-skew-max should have limited the allowed skew anyway, as the
signatures already expired two days ago.
After flushing the cache, Unbound returns SERVFAIL, as expected:
> unbound: info: Could not establish a chain of trust to keys for <mixmin.net. DNSKEY IN>
> unbound: info: validation failure <fleegle.mixmin.net. A IN>: signature expired from 86.59.118.153 for key mixmin.net. while building chain of trust
Hauke.
More information about the Unbound-users
mailing list