resolution fails when the date of the server is more than 2 days late

Ondřej Caletka ondrej at
Mon Mar 2 07:47:54 UTC 2020

> Is there a way to prevent this behaviour from unbound, and get at least
> resolved when there is a serious clock drift ?

Hello Dysmas,

according to unbound.conf(5):

>        val-override-date: <rrsig-style date spec>
>               Default  is  ""  or  "0",  which disables this debugging feature. If enabled by giving a
>               RRSIG style date, that date is used for verifying RRSIG inception and expiration  dates,
>               instead  of  the current date. Do not set this unless you are debugging signature incep‐
>               tion and expiration. The value -1 ignores the date altogether, useful for  some  special
>               applications.

So I guess the way out is to boot the device with `val-override-date:
-1` and after the clock is synchronized (which should be signalled by
NTP). The other option is to declare NTP server domain as insecure.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Unbound-users mailing list