Fix off by one error in dnssec-ksr sign

If the inception time of the signature is exactly equal to the
inactive time of the key, still include the signature. Otherwise there
may be corner cases where signatures are omitted erroneously.

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index f76b07c33409e387c35926cd8c570ec44320ffd5..d2a387290906557accb857b622a348415803c9c1 100644 (file)
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -674,7 +674,7 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration,
                if (act > inception) {
                        continue;
                }
-               if (inact != 0 && inception >= inact) {
+               if (inact != 0 && inception > inact) {
                        continue;
                }