Unbound verifies expired DNSSEC signature on gajim.org
Simon Deziel
simon+unbound at sdeziel.info
Wed May 18 00:24:00 UTC 2016
Hi Julian,
On 2016-05-17 08:07 PM, Julian Brost via Unbound-users wrote:
> Hi,
>
> my unbound 1.5.8 currently (as of 2016-05-17 23:43:16 UTC) successfully
> verifies the DNSSEC signatures for gajim.org/A where the corresponding
> RRSIG record currently looks like this (for full data see attached file
> dig.txt):
>
> gajim.org. 86398 IN RRSIG A 8 2 86400 20160517181943 [...]
>
> So in my understanding that signature expired at 2016-05-17 18:19:43 UTC
> which is a few hours ago and thus the query should result in a SERVFAIL.
> unbound still returns that response, even with the AD flag set. Is that
> supposed to happen?
unbound allows for some clock skew as explained in man 5 unbound.conf:
> val-sig-skew-max: <seconds>
> Maximum number of seconds of clock skew to apply to validated
> signatures. A value of 10% of the signature lifetime
> (expiration - inception) is used, capped by this setting. Default
> is 86400 (24 hours)...
HTH,
Simon
More information about the Unbound-users
mailing list