On 16/04/2023 16:05, A. Schulze via Unbound-users wrote:
this scenario is also mentioned in RFC 8027 [1] with the same options
to solve that:
- DNSSEC depend on correct time. If the local time is wrong the system
startup will fail -> to be fixed by a human
- disable DNSSEC validation until the system hat a correct time ->
it's convenient for the user but hard for you as implementer.
I personally prefer the first option.
For a small, "IoT" device without real-time clock, the first option is
far from ideal. Typically those devices don't have a user to watch them
boot. For those devices, the solution is obvious, at boot a
'ntpdate'-like program should run with a stub resolver that allows
disabling DNSSEC validation.
