Maybe it would be an option to allow Real Time scheduling in the systemd service as I now see tomporary invalid DNSSEC name resolution and a few seconds later all went OK ... currently RestrictRealtime is set to true but should IMHO not set or set to off. --- --dnssec-no-timecheck DNSSEC signatures are only valid for specified time win- dows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reli- able time is established, a SIGINT should be sent to dns- masq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked.