DNSSEC validating resolver on machines without RTC or wrong date

A. Schulze sca at andreasschulze.de
Sun Apr 16 14:05:52 UTC 2023

Am 16.04.23 um 00:48 schrieb Petr Menšík via Unbound-users:
> I maintain unbound on Fedora and RHEL. I met some question on some Fedora channel about problems with NTP service. It turned out the problem of that user lied were in DNSSEC validating resolver and wrong time on his machine. Like significantly wrong date, which made DNSSEC validation fail because some timestamp on RRSIG did not fail.

Hello Petr,

this scenario is also mentioned in RFC 8027 [1] with the same options to solve that:

- DNSSEC depend on correct time. If the local time is wrong the system startup will fail -> to be fixed by a human
- disable DNSSEC validation until the system hat a correct time -> it's convenient for the user but hard for you as implementer.

I personally prefer the first option.


[1] https://www.rfc-editor.org/rfc/rfc8027.html#section-6

More information about the Unbound-users mailing list