DNSSEC validating resolver on machines without RTC or wrong date
daisuke.higashi at gmail.com
Mon Apr 17 14:45:23 UTC 2023
Run Unbound in "val-override-date: -1" mode at very short term after
boot, and once your machine gets good datetime, restart Unbound in
In this mode, Unbound performs DNSSEC validation without RRSIG expiration
check. The only risk you must take here is the possibility of accepting
 The next problem is to get datetime by secure method. Your company
should run DNS server publishing datetime in signed zone like:
time.redhat.com. IN TXT "1687842121"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users