From de7abd2cd52e3751ac94d5d56ae9ff510311fc67 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 10 Mar 2015 16:22:09 +0100
Subject: [PATCH] dnsmasq: Enable DNSSEC timestamp feature

This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
---
 src/initscripts/init.d/dnsmasq | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq
index 48b9d19d02..4e37925171 100644
--- a/src/initscripts/init.d/dnsmasq
+++ b/src/initscripts/init.d/dnsmasq
@@ -26,7 +26,7 @@ SHOW_SRV=1
 TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 
 function dnssec_args() {
-	local cmdline="--dnssec"
+	local cmdline="--dnssec --dnssec-timestamp"
 
 	if [ -n "${TRUST_ANCHOR}" ]; then
 		cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"
-- 
2.39.2