DNSSEC validating resolver on machines without RTC or wrong date

Petr Menšík pemensik at redhat.com
Thu Apr 20 11:00:26 UTC 2023

Oh great, I were not aware there is something similar. I would like to 
avoid the need for a restart. dnsmasq has similar special knob, but I 
were not aware unbound has something like it too.

I have tested it even on older unbound, it is possible to manipulate 
this properly via unbound-control set_option "val-override-date: -1"

And indeed, if I set the clock to wrong value and flush org zone, it 
fails until I call above unbound-control command. It is a bit concerning 
in that case it still has ad bit, even though it were not full 
validated. And I expect no other indication to client hints not full 
validation were done. But yes, starting with val-override-date: -1 in 
configuration and setting "val-override-date: 0" with cache flush once 
time is set initially after boot would be the best solution I can find.

The cache flush could be avoided if it were possible to flush just 
records, which do not pass only time checks. Since we have already done 
crypto validation, we have already the most CPU intensive work done. 
Better to not waste it by full cache flush again.

On 17. 04. 23 16:45, Daisuke HIGASHI wrote:
>   Run Unbound in "val-override-date: -1" mode at very short term after 
> boot, and once your machine gets good datetime[1], restart Unbound in 
> normal mode.
>   In this mode, Unbound performs DNSSEC validation without RRSIG 
> expiration check. The only risk you must take here is the possibility 
> of accepting expired signatures.
> [1] The next problem is to get datetime by secure method. Your company 
> should run DNS server publishing datetime in signed zone like:
> time.redhat.com <http://time.redhat.com>.  IN TXT "1687842121"

No, I really do not think we should make methods alternative to NTP in 
the DNS itself. Besides fetching such name still requires valid time to 
check com. zone (redhat.com is not signed at the moment).

Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230420/0a323394/attachment.htm>

More information about the Unbound-users mailing list