From ad45cdd3830c405ac7ed20bf2f628c7fc31940ac Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 2 Apr 2026 10:01:27 +0200
Subject: [PATCH] Fix off by one error in dnssec-ksr sign

If the inception time of the signature is exactly equal to the
inactive time of the key, still include the signature. Otherwise there
may be corner cases where signatures are omitted erroneously.

(cherry picked from commit bc6dad585d897234cae63f3ebe2d8b962329ef35)
---
 bin/dnssec/dnssec-ksr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index 01df9843cc..fbad0b47b9 100644
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -705,7 +705,7 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration,
 		if (act > inception) {
 			continue;
 		}
-		if (inact != 0 && inception >= inact) {
+		if (inact != 0 && inception > inact) {
 			continue;
 		}