The ., org. keys are not going to grow multiple year expiries, so we need our
own thing to cache. One could cache the DNSKEY for bufferbloat.net along
with the root zone keys... then lookup ntp.bufferbloat.net. It would have to
return a A/AAAA records, because chasing a CNAME into ntp.org would fail to
validate.

> of the entry, for the resolution of ntp server names, and then you have to
> somehow convey to the resolver that you want a secure lookup, but it's ok if
> it's expired (or too new, or...), which gets back to some of the earlier parts
> of this discussion.

Bingo.

That would scale well for CeroWRT, but doesn't seem like it would scale well for general-use (OpenWRT). Or rather, the use of bufferbloat.net wouldn't scale well. But OpenWRT might be able to do the same with it's key, and have it's own ntp.openwrt.org which resolves into the general ntp pool.

-Aaron