From 0e5a6d1a54e29c6d19c8d6688f0e110ba622ad56 Mon Sep 17 00:00:00 2001
From: "Benjamin W. Broersma" <bw@broersma.com>
Date: Mon, 2 Dec 2024 17:56:31 +0100
Subject: [PATCH] Expire DNSSEC signatures without time skew

Fixing #1481.
---
 docker/resolver/resolver-validating.conf.template | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker/resolver/resolver-validating.conf.template b/docker/resolver/resolver-validating.conf.template
index 86bfa22ed..994e02aa8 100644
--- a/docker/resolver/resolver-validating.conf.template
+++ b/docker/resolver/resolver-validating.conf.template
@@ -12,6 +12,10 @@ server:
   module-config: "validator iterator"
   chroot: ""
 
+  # expire DNSSEC signatures without time skew
+  val-sig-skew-min: 0
+  val-sig-skew-max: 0
+
   cache-max-ttl: ${DNS_CACHE_TTL}
   cache-max-negative-ttl: ${DNS_CACHE_TTL}