This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
function dnssec_args() {
- local cmdline="--dnssec"
+ local cmdline="--dnssec --dnssec-timestamp"
if [ -n "${TRUST_ANCHOR}" ]; then
cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"