1947. [func] It is now possible to configure named to accept

expired RRSIGs. Default "dnssec-accept-expired no;". Setting "dnssec-accept-expired yes;" leaves named vulnerable to replay attacks. [RT #14685]
2025-08-31 22:45:39 +00:00 · 2006-01-04 02:35:49 +00:00
parent 35da39a7f1
commit fabf2ee6b0
10 changed files with 66 additions and 19 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.62 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: config.c,v 1.63 2006/01/04 02:35:49 marka Exp $ */

 /*! \file */

@@ -133,6 +133,7 @@ options {\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 0;\n\
 	dnssec-enable no; /* Make yes for 9.4. */ \n\
+	dnssec-accept-expired no;\n\
 	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
 "