You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unbound is used with a default signature time skew configuration.
This means the DNSSEC RRSIG expire time can be 10% of it lifetime skewed, with a minimum of 3600s (1 hour) and a maximum of 86400s (24 hours). This fixes at minimum DST issues and at maximum timezone issues.
# The signature inception and expiration dates are allowed to be off
# by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
Unbound is used with a default signature time skew configuration.
This means the DNSSEC RRSIG expire time can be 10% of it lifetime skewed, with a minimum of 3600s (1 hour) and a maximum of 86400s (24 hours). This fixes at minimum DST issues and at maximum timezone issues.
Depending on the client side DNS resolver, the domain could be unreachable (if Google DNS 8.8.8.8 is used).
Currently no warning is given, see:
https://internet.nl/site/expiredsig3600.go.dnscheck.tools/2911709/ 84%
https://internet.nl/site/expiredsig3601.go.dnscheck.tools/2911710/ 50%
Should this be documented in the DNSSEC explain text?
Should a ℹ️ informational,⚠️ warning or ❌ failure be shown?
Relevant unbound files/documentation mentioning this:
The text was updated successfully, but these errors were encountered: