diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 08ce36bfdb..86d30e4f0a 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -19,6 +19,7 @@
 
 #include <isc/base64.h>
 #include <isc/lex.h>
+#include <isc/stdtime.h>
 
 #include <dns/confctx.h>
 #include <dns/confkeys.h>
@@ -35,6 +36,7 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 	int secretalloc = 0;
 	int secretlen = 0;
 	isc_result_t ret;
+	isc_stdtime_t now;
 
 	key = ISC_LIST_HEAD(list->keydefs);
 	while (key != NULL) {
@@ -102,8 +104,10 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 		isc_lex_close(lex);
 		isc_lex_destroy(&lex);
 
+		isc_stdtime_get(&now);
 		ret = dns_tsigkey_create(&keyname, &alg, secret, secretlen,
-					 ISC_FALSE, NULL, mctx, ring, NULL);
+					 ISC_FALSE, NULL, now, now,
+					 mctx, ring, NULL);
 		isc_mem_put(mctx, secret, secretalloc);
 		secret = NULL;
 		if (ret != ISC_R_SUCCESS)
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index ea06ab0f74..c612ce9626 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -21,6 +21,7 @@
 #include <isc/types.h>
 #include <isc/lang.h>
 #include <isc/rwlock.h>
+#include <isc/stdtime.h>
 
 #include <dns/types.h>
 #include <dns/name.h>
@@ -52,6 +53,8 @@ struct dns_tsigkey {
 	dns_name_t		algorithm;	/* Algorithm name */
 	dns_name_t		*creator;	/* name that created secret */
 	isc_boolean_t		generated;	/* was this generated? */
+	isc_stdtime_t		inception;	/* start of validity period */
+	isc_stdtime_t		expire;		/* end of validity period */
 	dns_tsig_keyring_t	*ring;		/* the enclosing keyring */
 	isc_mutex_t		lock;
 	/* Locked */
@@ -68,11 +71,15 @@ struct dns_tsigkey {
 isc_result_t
 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		   unsigned char *secret, int length, isc_boolean_t generated,
-		   dns_name_t *creator, isc_mem_t *mctx,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
 		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
 /*
  *	Creates a tsig key structure and saves it in the keyring.  If key is
- *	not NULL, *key *	will contain a copy of the key.
+ *	not NULL, *key will contain a copy of the key.  The keys validity
+ *	period is specified by (inception, expire), and will not expire if
+ *	inception == expire.  If the key was generated, the creating identity,
+ *	if there is one, should be in the creator parameter.
  *
  *	Requires:
  *		'name' is a valid dns_name_t
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 27bb4bd4be..d08a7c6118 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.20 2000/01/24 20:19:51 bwelling Exp $
+ * $Id: tkey.c,v 1.21 2000/01/24 22:22:50 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -289,7 +289,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *name,
 			ISC_BUFFERTYPE_BINARY);
 	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
 	isc_buffer_used(&ourkeybuf, &ourkeyr);
-	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_in,
+	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
 			     dns_rdatatype_key, &ourkeyr);
 	isc_buffer_init(&ournamein, dst_key_name(tctx->dhkey),
 		        strlen(dst_key_name(tctx->dhkey)), ISC_BUFFERTYPE_TEXT);
@@ -358,8 +358,8 @@ process_dhtkey(dns_message_t *msg, dns_name_t *name,
 	isc_buffer_used(&secret, &r);
 	tsigkey = NULL;
 	result = dns_tsigkey_create(name, &tkeyin->algorithm, r.base, r.length,
-				    ISC_TRUE, creator, msg->mctx, ring,
-				    NULL);
+				    ISC_TRUE, creator, tkeyin->inception,
+				    tkeyin->expire, msg->mctx, ring, NULL);
 	isc_buffer_free(&shared);
 	shared = NULL;
 	if (result == ISC_R_NOTFOUND) {
@@ -679,18 +679,18 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 
 	RETERR(dns_message_gettemprdataset(msg, &question));
 	dns_rdataset_init(question);
-	dns_rdataset_makequestion(question, dns_rdataclass_in /* _any */,
+	dns_rdataset_makequestion(question, dns_rdataclass_any,
 				  dns_rdatatype_tkey);
 
 	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512,
 				   ISC_BUFFERTYPE_BINARY));
 	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_in /* _any */,
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				    dns_rdatatype_tkey, tkey, dynbuf));
 	dns_message_takebuffer(msg, &dynbuf);
 
 	RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
-	tkeylist->rdclass = dns_rdataclass_in /* _any */;
+	tkeylist->rdclass = dns_rdataclass_any;
 	tkeylist->type = dns_rdatatype_tkey;
 	tkeylist->covers = 0;
 	tkeylist->ttl = 0;
@@ -750,7 +750,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 	REQUIRE(name != NULL);
 	REQUIRE(algorithm != NULL);
 
-	tkey.common.rdclass = dns_rdataclass_in /* _any */;
+	tkey.common.rdclass = dns_rdataclass_any;
 	tkey.common.rdtype = dns_rdatatype_tkey;
 	ISC_LINK_INIT(&tkey.common, link);
 	tkey.mctx = msg->mctx;
@@ -779,7 +779,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
                                    ISC_BUFFERTYPE_BINARY));
 	RETERR(dst_key_todns(key, dynbuf));
 	isc_buffer_used(dynbuf, &r);
-	dns_rdata_fromregion(rdata, dns_rdataclass_in,
+	dns_rdata_fromregion(rdata, dns_rdataclass_any,
 			     dns_rdatatype_key, &r);
 	dns_message_takebuffer(msg, &dynbuf);
 	RETERR(dns_message_gettempname(msg, &keyname));
@@ -813,7 +813,7 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
 	REQUIRE(msg != NULL);
 	REQUIRE(key != NULL);
 
-	tkey.common.rdclass = dns_rdataclass_in /* _any */;
+	tkey.common.rdclass = dns_rdataclass_any;
 	tkey.common.rdtype = dns_rdatatype_tkey;
 	ISC_LINK_INIT(&tkey.common, link);
 	tkey.mctx = msg->mctx;
@@ -966,7 +966,8 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	tsigkey = NULL;
 	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
 				    r.base, r.length, ISC_TRUE,
-				    NULL, rmsg->mctx, ring, outkey);
+				    NULL, rtkey.inception, rtkey.expire,
+				    rmsg->mctx, ring, outkey);
 	isc_buffer_free(&shared);
 	return (result);
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 2a85ebfd7e..80079b7f5f 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.41 2000/01/24 19:14:22 gson Exp $
+ * $Id: tsig.c,v 1.42 2000/01/24 22:22:50 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -64,7 +64,8 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
 isc_result_t
 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		   unsigned char *secret, int length, isc_boolean_t generated,
-		   dns_name_t *creator, isc_mem_t *mctx,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
 		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
 {
 	isc_buffer_t b, nameb;
@@ -167,6 +168,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 	if (key != NULL)
 		tkey->refs++;
 	tkey->generated = generated;
+	tkey->inception = inception;
+	tkey->expire = expire;
 	tkey->deleted = ISC_FALSE;
 	tkey->mctx = mctx;
 	ret = isc_mutex_init(&tkey->lock);
@@ -609,6 +612,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		return (DNS_R_TSIGVERIFYFAILURE);
 	}
 
+	/* Get the current time */
+	isc_stdtime_get(&now);
+
 	/* Find dns_tsigkey_t based on keyname */
 	if (msg->tsigkey == NULL) {
 		ret = ISC_R_NOTFOUND;
@@ -627,6 +633,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			msg->tsigkey = NULL;
 			ret = dns_tsigkey_create(keyname, &tsig->algorithm,
 						 NULL, 0, ISC_FALSE, NULL,
+						 now, now,
 						 mctx, dring, &msg->tsigkey);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_struct;
@@ -640,7 +647,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	key = tsigkey->key;
 
 	/* Is the time ok? */
-	isc_stdtime_get(&now);
 	if (abs(now - tsig->timesigned) > tsig->fudge) {
 		msg->tsigstatus = dns_tsigerror_badtime;
 		return (DNS_R_TSIGVERIFYFAILURE);
@@ -954,12 +960,14 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 		 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
 {
 	dns_tsigkey_t *key;
+	isc_stdtime_t now;
 
 	REQUIRE(tsigkey != NULL);
 	REQUIRE(*tsigkey == NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(ring != NULL);
 
+	isc_stdtime_get(&now);
 	isc_rwlock_lock(&ring->lock, isc_rwlocktype_read);
 	key = ISC_LIST_HEAD(ring->keys);
 	while (key != NULL) {
@@ -968,6 +976,13 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 		     dns_name_equal(&key->algorithm, algorithm)) &&
 		    !key->deleted)
 		{
+			if (key->inception != key->expire &&
+			    key->expire < now)
+			{
+				/* the key has expired */
+				key->deleted = 1;
+				continue;
+			}
 			isc_mutex_lock(&key->lock);
 			key->refs++;
 			isc_mutex_unlock(&key->lock);
diff --git a/lib/dns/tsigconf.c b/lib/dns/tsigconf.c
index 08ce36bfdb..86d30e4f0a 100644
--- a/lib/dns/tsigconf.c
+++ b/lib/dns/tsigconf.c
@@ -19,6 +19,7 @@
 
 #include <isc/base64.h>
 #include <isc/lex.h>
+#include <isc/stdtime.h>
 
 #include <dns/confctx.h>
 #include <dns/confkeys.h>
@@ -35,6 +36,7 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 	int secretalloc = 0;
 	int secretlen = 0;
 	isc_result_t ret;
+	isc_stdtime_t now;
 
 	key = ISC_LIST_HEAD(list->keydefs);
 	while (key != NULL) {
@@ -102,8 +104,10 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 		isc_lex_close(lex);
 		isc_lex_destroy(&lex);
 
+		isc_stdtime_get(&now);
 		ret = dns_tsigkey_create(&keyname, &alg, secret, secretlen,
-					 ISC_FALSE, NULL, mctx, ring, NULL);
+					 ISC_FALSE, NULL, now, now,
+					 mctx, ring, NULL);
 		isc_mem_put(mctx, secret, secretalloc);
 		secret = NULL;
 		if (ret != ISC_R_SUCCESS)