DNSSEC validating resolver on machines without RTC or wrong date

Philip Homburg philip at nlnetlabs.nl
Sun Apr 16 14:25:30 UTC 2023

On 16/04/2023 16:05, A. Schulze via Unbound-users wrote:
> this scenario is also mentioned in RFC 8027 [1] with the same options 
> to solve that:
> - DNSSEC depend on correct time. If the local time is wrong the system 
> startup will fail -> to be fixed by a human
> - disable DNSSEC validation until the system hat a correct time -> 
> it's convenient for the user but hard for you as implementer.
> I personally prefer the first option.

For a small, "IoT" device without real-time clock, the first option is 
far from ideal. Typically those devices don't have a user to watch them 
boot. For those devices, the solution is obvious, at boot a 
'ntpdate'-like program should run with a stub resolver that allows 
disabling DNSSEC validation.

More information about the Unbound-users mailing list