--- src/dnsmasq.c
+++ src/dnsmasq.c
@@ -1552,8 +1552,7 @@
 	/* update timestamp file on TERM if time is considered valid */
 	if (daemon->back_to_the_future)
 	  {
-	     if (utimes(daemon->timestamp_file, NULL) == -1)
-		my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+		update_timestamp_amtime();
 	  }
 #endif
 
--- src/dnsmasq.h
+++ src/dnsmasq.h
@@ -1083,6 +1083,7 @@
 #ifdef HAVE_DNSSEC
   struct ds_config *ds;
   char *timestamp_file;
+  int timestamp_file_is_on_readonly_fs;
 #endif
 
   /* globally used stuff for DNS */
@@ -1257,6 +1258,7 @@
 int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
 size_t filter_rrsigs(struct dns_header *header, size_t plen);
 int setup_timestamp(void);
+void update_timestamp_amtime(void); /* sets atime and mtime of the timestamp_file to the current time */
 
 /* hash_questions.c */
 void hash_questions_init(void);
--- src/dnssec.c
+++ src/dnssec.c
@@ -145,6 +145,7 @@
   struct stat statbuf;
   
   daemon->back_to_the_future = 0;
+  daemon->timestamp_file_is_on_readonly_fs = 0;
   
   if (!daemon->timestamp_file)
     return 0;
@@ -156,8 +157,7 @@
       if (difftime(timestamp_time, time(0)) <=  0)
 	{
 	  /* time already OK, update timestamp, and do key checking from the start. */
-	  if (utimes(daemon->timestamp_file, NULL) == -1)
-	    my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+	  update_timestamp_amtime();
 	  daemon->back_to_the_future = 1;
 	  return 0;
 	}
@@ -185,6 +185,20 @@
   return -1;
 }
 
+void update_timestamp_amtime(void)
+{
+	if (!daemon->timestamp_file || daemon->timestamp_file_is_on_readonly_fs)
+		return;
+
+	if (utimes(daemon->timestamp_file, NULL) == -1) {
+		if (errno == EROFS) {
+			daemon->timestamp_file_is_on_readonly_fs = 1;
+		} else {
+			my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+		}
+	}
+}
+
 /* Check whether today/now is between date_start and date_end */
 static int is_check_date(unsigned long curtime)
 {
@@ -200,8 +214,7 @@
     {
       if (daemon->back_to_the_future == 0 && difftime(timestamp_time, curtime) <= 0)
 	{
-	  if (utimes(daemon->timestamp_file, NULL) != 0)
-	    my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+	  update_timestamp_amtime();
 	  
 	  my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps."));
 	  daemon->back_to_the_future = 1;