Right, so I took a stab at prototyping something based on the
--dnssec-no-timecheck option Simon just added to dnsmasq.

There's an updated dnsmasq package here:

http://archive.tohojo.dk/cerowrt/wndr/3.10.32-12-tohojo/packages/dnsmasq-dhcpv6_2014-03-29-b7639d58158c6e971535893b407560e136a27994_ar71xx.ipk

Which, apart from the change to dnsmasq itself, has a modification to
the init script that will add the parameter to dnsmasq on bootup (but
not on subsequent restarts), and then spawn a script that will check the
ntpd stratum status and wait for it to be set; or, if no stratum
information is available just set the time with ntpd -q. Once either the
time has been set, or ntpd reports a valid stratum, dnsmasq is sent
SIGHUP to turn dnssec time validation back on.

To get ntpd to report its stratum status, it is spawned with the -S
parameter which will periodically report its status, including stratum.
A small script then records that in a file which the dnsmasq script
checks. Since the script falls back to running ntpd -q, this change to
ntpd is not strictly necessary; but I thought it better to make it
available rather than running a second ntp sync on top of the running
ntpd server. To enable the ntpd modification, replace
/etc/init.d/sysntpd with the attached file, put this into
/usr/sbin/ntpd_record_stratum and chmod +x it:

#!/bin/sh
echo $stratum > /var/ntp.stratum

There's a busybox package with this modification included here, but I
can't promise it is built with the exact same options as the one
distributed with cerowrt (though it works for me):

http://archive.tohojo.dk/cerowrt/wndr/3.10.32-12-tohojo/packages/busybox_1.19.4-7_ar71xx.ipk



Please test this out and let me know if it works for you. It seems to
work for me; however, I have not been successful in actually getting my
router to boot up without the time synced. Not sure if it's just ntpd
that syncs up before the script runs (and then takes a while to update
its stratum), or if some hidden mechanism does something magical to set
the time (even when the *fixtime init scripts are disabled).


-Toke