A solution for this already exists, native dnsmasq (and thus pihole-FTL)
add a new configuration file to /etc/dnsmasq.d (don’t add it to 01-pihole.conf, as this will remove the new setting after
pihole -up or
pihole -r, so create XX-dnssec.conf)
from the dnsmasq man page:
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked.
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
The original topic, containing the script was written a long time ago. Read this updated topic for the latest version of the steps required to setup the solution.