7.3 Disable the dnssec-accept-expired Option

Information

The dnssec-accept-expired option allows BIND to accept expired signatures during validation. The option should be disabled so that expired signatures will not be accepted.

Rationale:

Allowing expired signatures would leave the server vulnerable to replay attacks.

Solution

Change the dnssec-accept-expired option to have a value of no, or remove the option from the configuration files.

Default Value:

The dnssec-accept-expired option is disabled by default.

See Also

https://workbench.cisecurity.org/files/2997