On 30.03.2011 14:44, Stephane Bortzmeyer wrote: > What is your value of val-sig-skew-min and val-sig-skew-max? By > default, Unbound allows expired signatures for 10 % of their validity > period. They're still at their default values: # The signature inception and expiration dates are allowed to be off # by 10% of the signature lifetime (expir-incep) from our local clock. # This leeway is capped with a minimum and a maximum. In seconds. # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 val-sig-skew-max should have limited the allowed skew anyway, as the signatures already expired two days ago. After flushing the cache, Unbound returns SERVFAIL, as expected: > unbound: info: Could not establish a chain of trust to keys for <mixmin.net. DNSKEY IN> > unbound: info: validation failure <fleegle.mixmin.net. A IN>: signature expired from 188.8.131.52 for key mixmin.net. while building chain of trust Hauke.