Simon Kelley writes: > Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or > something, which disables the checking of RRSIG inception and expiry > times. This flag is automatically reset when dnsmasq gets the SIGHUP > signal which causes it to clear the cache and re-read (some) > configuration. One issue with this is that the openwrt init scripts currently take ages to restart dnsmasq because it has to rebuild the configuration from uci, which is done in shell. Other than that I like the approach; it would enable *some* validation at least (I presume?). Another approach to "exiting" the mode could be that if the flag is turned off, for each validation attempt, first try to see if the time *does* validate; if it does, turn off the flag, otherwise retry the validation while ignoring the time. That would make it possible to just stick the flag in the configuration and have things "just work", I think. Only instance I can think of where this is not true is if some lookup succeeds due to a longer validity time, which will disable the flag, and then having the subsequent NTP server lookup fail. Not sure what the probability of this happening is, though. -Toke