Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Stephane Bortzmeyer
Wed Mar 30 14:44:13 CEST 2011


On Wed, Mar 30, 2011 at 01:54:44PM +0200,
 Hauke Lampe <lampe at hauke-lampe.de> wrote 
 a message of 57 lines which said:

> I have a case here where RRSIGs expired, yet Unbound still sets the
> "AD" flag in responses.

What is your value of val-sig-skew-min and val-sig-skew-max? By
default, Unbound allows expired signatures for 10 % of their validity
period.