Run Unbound in "val-override-date: -1" mode at very short term after boot, and once your machine gets good datetime[1], restart Unbound in normal mode.
In this mode, Unbound performs DNSSEC validation without RRSIG expiration
check. The only risk you must take here is the possibility of accepting
expired signatures.
[1] The next problem is to get datetime by secure method. Your company
should run DNS server publishing datetime in signed zone like:
time.redhat.com. IN TXT "1687842121"
