Hi Julian, On 2016-05-17 08:07 PM, Julian Brost via Unbound-users wrote: > Hi, > > my unbound 1.5.8 currently (as of 2016-05-17 23:43:16 UTC) successfully > verifies the DNSSEC signatures for gajim.org/A where the corresponding > RRSIG record currently looks like this (for full data see attached file > dig.txt): > > gajim.org. 86398 IN RRSIG A 8 2 86400 20160517181943 [...] > > So in my understanding that signature expired at 2016-05-17 18:19:43 UTC > which is a few hours ago and thus the query should result in a SERVFAIL. > unbound still returns that response, even with the AD flag set. Is that > supposed to happen?
unbound allows for some clock skew as explained in man 5 unbound.conf: > val-sig-skew-max: <seconds> > Maximum number of seconds of clock skew to apply to validated > signatures. A value of 10% of the signature lifetime > (expiration - inception) is used, capped by this setting. Default > is 86400 (24 hours)... HTH, Simon
