Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 14:52:45 CEST 2011

On 30.03.2011 14:44, Stephane Bortzmeyer wrote:

> What is your value of val-sig-skew-min and val-sig-skew-max? By
> default, Unbound allows expired signatures for 10 % of their validity
> period.

They're still at their default values:

# The signature inception and expiration dates are allowed to be off
# by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum.  In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400

val-sig-skew-max should have limited the allowed skew anyway, as the
signatures already expired two days ago.

After flushing the cache, Unbound returns SERVFAIL, as expected:

> unbound: info: Could not establish a chain of trust to keys for < DNSKEY IN>
> unbound: info: validation failure < A IN>: signature expired from for key while building chain of trust