DNSSEC validating resolver on machines without RTC or wrong date
Philip Homburg
philip at nlnetlabs.nl
Sun Apr 16 14:25:30 UTC 2023
On 16/04/2023 16:05, A. Schulze via Unbound-users wrote:
>
>
> this scenario is also mentioned in RFC 8027 [1] with the same options
> to solve that:
>
> - DNSSEC depend on correct time. If the local time is wrong the system
> startup will fail -> to be fixed by a human
> - disable DNSSEC validation until the system hat a correct time ->
> it's convenient for the user but hard for you as implementer.
>
> I personally prefer the first option.
>
For a small, "IoT" device without real-time clock, the first option is
far from ideal. Typically those devices don't have a user to watch them
boot. For those devices, the solution is obvious, at boot a
'ntpdate'-like program should run with a stub resolver that allows
disabling DNSSEC validation.
More information about the Unbound-users
mailing list