We used to have a lot of theatre inside the Unbound initscript to bring DNS up when the time is off as the DNSSEC keys are not valid. This has to be replicated inside Knot Resolver, too, so that systems without a RTC keep functioning.
So I spent a lot of time to research this, and I think that there isn't a perfect solution. However, I made two changes which should fix this problem for us: > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=c0b8718ff8ef368208eed2e9934cfa35d1cd7272 I refactored that we will at least start with the last timestamp of /var/log/messages so that we won't be too far away if the system has just been rebooted or has only been turned of for a short time. > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=942597de3684d17682d1188585c985fff2caad6b I then added a script which will sync the time as soon as the system comes online. That way, as soon as possible, we will sync the time. If that isn't possible, we will fall back to a hard-coded IP address. And last, the boot process will pause for a moment until DNS becomes available with a 120 second timeout: > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=4efa083cab701e199acb6b0b904bdc4278e93a35 If after that time, we have not synced the time and DNS has become available, there probably isn't anything else we can do.