Maintained by: NLnet Labs

Unbound verifies expired DNSSEC signature on gajim.org

Simon Deziel
Wed May 18 02:24:00 CEST 2016


Hi Julian,

On 2016-05-17 08:07 PM, Julian Brost via Unbound-users wrote:
> Hi,
> 
> my unbound 1.5.8 currently (as of 2016-05-17 23:43:16 UTC) successfully
> verifies the DNSSEC signatures for gajim.org/A where the corresponding
> RRSIG record currently looks like this (for full data see attached file
> dig.txt):
> 
> gajim.org.		86398 IN RRSIG A 8 2 86400 20160517181943 [...]
> 
> So in my understanding that signature expired at 2016-05-17 18:19:43 UTC
> which is a few hours ago and thus the query should result in a SERVFAIL.
> unbound still returns that response, even with the AD flag set. Is that
> supposed to happen?

unbound allows for some clock skew as explained in man 5 unbound.conf:

> val-sig-skew-max: <seconds>
>   Maximum number of seconds of clock skew to apply to validated
>   signatures. A value of 10% of the signature lifetime
>   (expiration - inception) is used, capped by this setting. Default
>   is 86400 (24 hours)...

HTH,
Simon