Maintained by: NLnet Labs

[Unbound-users] Expired signature accepted?

W.C.A. Wijngaards
Fri Oct 16 10:21:54 CEST 2009


Hi Stephane,

On 10/16/2009 09:28 AM, Stephane Bortzmeyer wrote:
> keltia.net is signed, is in DLV an the signatures are expired since yesterday.
>
> Yet, Unbound 1.3.2 accepts it and flags it as authentic:

24 hour signature skew, default allowed to allow for time-zone 
misconfigurations.  Config val-sig-skew-min and val-sig-skew-max.
Unbound allows a skew of max10% of the signature TTL, that value
must be between 1 hour and 24 hours (see config items to change).

Best regards,
    Wouter