Test rndc rollover inactive key

When users (accidentally) try to roll an inactive key, throw an error.

bin/tests/system/kasp/tests.sh

@@ -2802,6 +2802,15 @@ check_apex
 check_subdomain
 dnssec_verify
 
+# Try to schedule a ZSK rollover for an inactive key (should fail).
+n=$((n+1))
+echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
+ret=0
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
+grep "key is not active and cannot be rolled" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Testing DNSSEC introduction.
 #

lib/dns/keymgr.c

@@ -2181,7 +2181,7 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 	}
 
 	result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS || active > now) {
 		return (ISC_R_UNEXPECTED);
 	}