diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 9b468bffef..41bed9aa7e 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -97,6 +97,10 @@ jobs:
           path: /usr/local/bin
       - name: Setup dfx binary
         run: chmod +x /usr/local/bin/dfx
+      - name: Disable query verification in ic-ref
+        if: ${{ matrix.backend == 'ic-ref' }}
+        run: |
+          echo DFX_DISABLE_QUERY_VERIFICATION=1 >> $GITHUB_ENV
       - name: start and deploy
         run: |
           pwd
diff --git a/e2e/tests-dfx/certificate.bash b/e2e/tests-dfx/certificate.bash
index 1fe5d66269..de016567bb 100644
--- a/e2e/tests-dfx/certificate.bash
+++ b/e2e/tests-dfx/certificate.bash
@@ -13,6 +13,7 @@ setup() {
   dfx deploy
 
   BACKEND="127.0.0.1:$(get_webserver_port)"
+  declare -x DFX_DISABLE_QUERY_VERIFICATION=1
 
   # In github workflows, at the time of this writing, we get:
   #     macos-latest: mitmproxy 7.0.4
diff --git a/src/dfx-core/src/util/mod.rs b/src/dfx-core/src/util/mod.rs
index 64a9d30f9f..efb41ba088 100644
--- a/src/dfx-core/src/util/mod.rs
+++ b/src/dfx-core/src/util/mod.rs
@@ -6,5 +6,6 @@ pub fn network_to_pathcompat(network_name: &str) -> String {
 
 pub fn expiry_duration() -> Duration {
     // 5 minutes is max ingress timeout
-    Duration::from_secs(60 * 5)
+    // 4 minutes accounts for possible replica drift
+    Duration::from_secs(60 * 4)
 }
diff --git a/src/dfx/src/commands/ledger/mod.rs b/src/dfx/src/commands/ledger/mod.rs
index 745a2b05a3..716fa3aa63 100644
--- a/src/dfx/src/commands/ledger/mod.rs
+++ b/src/dfx/src/commands/ledger/mod.rs
@@ -3,6 +3,7 @@ use crate::lib::environment::Environment;
 use crate::lib::error::DfxResult;
 use crate::lib::network::network_opt::NetworkOpt;
 use crate::lib::nns_types::icpts::ICPTs;
+use crate::lib::root_key::fetch_root_key_if_needed;
 use anyhow::anyhow;
 use clap::Parser;
 use fn_error_context::context;
@@ -44,6 +45,7 @@ pub fn exec(env: &dyn Environment, opts: LedgerOpts) -> DfxResult {
     let agent_env = create_agent_environment(env, opts.network.to_network_name())?;
     let runtime = Runtime::new().expect("Unable to create a runtime");
     runtime.block_on(async {
+        fetch_root_key_if_needed(&agent_env).await?;
         match opts.subcmd {
             SubCommand::AccountId(v) => account_id::exec(&agent_env, v).await,
             SubCommand::Balance(v) => balance::exec(&agent_env, v).await,
diff --git a/src/dfx/src/lib/environment.rs b/src/dfx/src/lib/environment.rs
index f1056a72ee..e77b2ab090 100644
--- a/src/dfx/src/lib/environment.rs
+++ b/src/dfx/src/lib/environment.rs
@@ -383,11 +383,14 @@ pub fn create_agent(
     identity: Box<dyn Identity + Send + Sync>,
     timeout: Duration,
 ) -> DfxResult<Agent> {
+    let disable_query_verification =
+        std::env::var("DFX_DISABLE_QUERY_VERIFICATION").is_ok_and(|x| !x.trim().is_empty());
     let agent = Agent::builder()
         .with_transport(ic_agent::agent::http_transport::ReqwestTransport::create(
             url,
         )?)
         .with_boxed_identity(identity)
+        .with_verify_query_signatures(!disable_query_verification)
         .with_ingress_expiry(Some(timeout))
         .build()?;
     Ok(agent)