Toke Høiland-Jørgensen writes: > This would involve teaching the uclibc resolver about the CD bit and > expose it in the resolver API I think. Can look into how difficult > this actually is to do; with the caveat that I'm not exactly an expert > on such code :P OK, went looking at the code. As far as I can tell, it would probably be possible to teach the part of uclibc that does DNS lookups about the CD bit. However, I'm not sure there's a way to pass the request for no validation through the resolver to the right place; certainly not without entirely reworking the way ntpd does hostname lookups (and possibly other parts of the C library as well). Either way it's not something I feel up to with the time I have available for hacking on cerowrt. So I am abandoning this avenue of enquiry. I'll be happy to work on improving the dnsmasq script with the --dnssec-no-timecheck parameter approach; but if it is going to be rejected in favour of a different approach I'd rather not waste any more time on it... :) -Toke