DNSSEC validating resolver on machines without RTC or wrong date
Daisuke HIGASHI
daisuke.higashi at gmail.com
Mon Apr 17 14:45:23 UTC 2023
Run Unbound in "val-override-date: -1" mode at very short term after
boot, and once your machine gets good datetime[1], restart Unbound in
normal mode.
In this mode, Unbound performs DNSSEC validation without RRSIG expiration
check. The only risk you must take here is the possibility of accepting
expired signatures.
[1] The next problem is to get datetime by secure method. Your company
should run DNS server publishing datetime in signed zone like:
time.redhat.com. IN TXT "1687842121"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230417/559b6b2a/attachment.htm>
More information about the Unbound-users
mailing list