From bc6dad585d897234cae63f3ebe2d8b962329ef35 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 2 Apr 2026 10:01:27 +0200 Subject: [PATCH] Fix off by one error in dnssec-ksr sign If the inception time of the signature is exactly equal to the inactive time of the key, still include the signature. Otherwise there may be corner cases where signatures are omitted erroneously. --- bin/dnssec/dnssec-ksr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index f76b07c3340..d2a38729090 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -674,7 +674,7 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration, if (act > inception) { continue; } - if (inact != 0 && inception >= inact) { + if (inact != 0 && inception > inact) { continue; } -- 2.47.3