I remember back in OpenWrt DD days when I've set dnssec/dnsseccheckunsigned=1 in the custom image I made for my router, there was some scripting required to make it work on reboot/reset, as my router didn't have built-in clock and on boot it would refuse to connect anywhere (because the clock was out of date) preventing it from updating its clock.
I'm wondering if things have changed with LEDE? Is it safe to set dnssec/dnsseccheckunsigned=1 in custom image? Are there better solutions to have dnssec/dnsseccheckunsigned=1 than temporarily setting them to 0 to update the clock, then resetting them to 1 and restarting dnsmasq.
PS. That is all, of course, with dnsmasq-full instead of dnsmasq built-in.
While I have not tested this myself (as I switched to using unbound), I think things have changed for quite a while now in LEDE. There has been this commit by Kevin Darbyshire-Bryant that should make Dnsmasq work with dnsseccheckunsigned on a router without a hardware clock. The solution is actually not better than the workaround you describe, as it does exactly that - it will disable DNSSEC enforcement until ntpd says the time is in sync. Yet, it's more convenient as you don't need a custom script to do so.
Unbound uses a different approach to the problem, btw. It has a configuration option to avoid dnssec enforcement for specific domains only. So, you can specify the domains of your preferred dns servers and they will always be resolved regardless of the validity of your system (router) time. Other domains won't be resolved when the time is not in sync. That's actually not the reason why I use unbound, but I think it provides a leaner solution to the time validity problem of DNSSEC compared to Dnsmasq.
Right, so I've set both of them to 1, forgot about it and then started having weird wget error 4 messages when trying to use Image Builder (which downloads a lot of small package files during the process).
So dnsmasq-full was totally failing on at least one of them, sometimes 5-6 attempts to build an image in a row.