diff --git a/CHANGES b/CHANGES
index d74d2914c0..2a54274806 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+ 106.   [func]		Allow dnssec verifications to ignore the validity
+			period.  Used by several of the dnssec tools.
+
  105.   [doc]           doc/dev/coding.html expanded with other
                         implicit conventions the developers have used.
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 53a1e25fbc..c3701178d2 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.29 2000/04/27 00:01:24 tale Exp $
+ * $Id: dnssec.c,v 1.30 2000/04/27 18:09:09 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -332,7 +332,8 @@ cleanup_name:
 
 isc_result_t
 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_mem_t *mctx, dns_rdata_t *sigrdata)
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata)
 {
 	dns_rdata_generic_sig_t sig;
 	dns_fixedname_t fnewname;
@@ -358,13 +359,15 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
-	isc_stdtime_get(&now);
+	if (!ignoretime) {
+		isc_stdtime_get(&now);
 
-	/* Is SIG temporally valid? */
-	if (sig.timesigned > now)
-		return (DNS_R_SIGFUTURE);
-	else if (sig.timeexpire < now)
-		return (DNS_R_SIGEXPIRED);
+		/* Is SIG temporally valid? */
+		if (sig.timesigned > now)
+			return (DNS_R_SIGFUTURE);
+		else if (sig.timeexpire < now)
+			return (DNS_R_SIGEXPIRED);
+	}
 
 	/* Is the key allowed to sign data? */
 	flags = dst_key_flags(key);
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 509af8b7bb..7a078f68bc 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -81,11 +81,13 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 isc_result_t
 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_mem_t *mctx, dns_rdata_t *sigrdata);
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata);
 /*
  *	Verifies the SIG record covering this rdataset signed by a specific
  *	key.  This does not determine if the key's owner is authorized to
  *	sign this record, as this requires a resolver or database.
+ *	If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
  *
  *	Requires:
  *		'name' (the owner name of the record) is a valid name