InformationThe dnssec-accept-expired option allows BIND to accept expired signatures during validation. The option should be disabled so that expired signatures will not be accepted.
Allowing expired signatures would leave the server vulnerable to replay attacks.
SolutionChange the dnssec-accept-expired option to have a value of no, or remove the option from the configuration files.
The dnssec-accept-expired option is disabled by default.