Am 16.04.23 um 00:48 schrieb Petr Menšík via Unbound-users:
I maintain unbound on Fedora and RHEL. I met some question on some Fedora 
channel about problems with NTP service. It turned out the problem of that user 
lied were in DNSSEC validating resolver and wrong time on his machine. Like 
significantly wrong date, which made DNSSEC validation fail because some 
timestamp on RRSIG did not fail.

Hello Petr,

this scenario is also mentioned in RFC 8027 [1] with the same options to solve 
that:

- DNSSEC depend on correct time. If the local time is wrong the system startup 
will fail -> to be fixed by a human
- disable DNSSEC validation until the system hat a correct time -> it's 
convenient for the user but hard for you as implementer.

I personally prefer the first option.

Andreas

[1] https://www.rfc-editor.org/rfc/rfc8027.html#section-6

Reply via email to