resolution fails when the date of the server is more than 2 days late
Ondřej Caletka
ondrej at caletka.cz
Mon Mar 2 07:47:54 UTC 2020
> Is there a way to prevent this behaviour from unbound, and get at least
> ntp.org resolved when there is a serious clock drift ?
>
Hello Dysmas,
according to unbound.conf(5):
> val-override-date: <rrsig-style date spec>
> Default is "" or "0", which disables this debugging feature. If enabled by giving a
> RRSIG style date, that date is used for verifying RRSIG inception and expiration dates,
> instead of the current date. Do not set this unless you are debugging signature incep‐
> tion and expiration. The value -1 ignores the date altogether, useful for some special
> applications.
So I guess the way out is to boot the device with `val-override-date:
-1` and after the clock is synchronized (which should be signalled by
NTP). The other option is to declare NTP server domain as insecure.
--
Ondřej
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200302/4320c547/attachment-0001.bin>
More information about the Unbound-users
mailing list