DNSSEC validating resolver on machines without RTC or wrong date

Daisuke HIGASHI daisuke.higashi at gmail.com
Mon Apr 17 14:45:23 UTC 2023

  Run Unbound in "val-override-date: -1" mode at very short term after
boot, and once your machine gets good datetime[1], restart Unbound in
normal mode.

  In this mode, Unbound performs DNSSEC validation without RRSIG expiration
check. The only risk you must take here is the possibility of accepting
expired signatures.

[1] The next problem is to get datetime by secure method. Your company
should run DNS server publishing datetime in signed zone like:
    time.redhat.com.  IN TXT "1687842121"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230417/559b6b2a/attachment.htm>

More information about the Unbound-users mailing list