diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index be067da571..7b9f8bb404 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2802,6 +2802,15 @@ check_apex
 check_subdomain
 dnssec_verify
 
+# Try to schedule a ZSK rollover for an inactive key (should fail).
+n=$((n+1))
+echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
+ret=0
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
+grep "key is not active and cannot be rolled" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Testing DNSSEC introduction.
 #
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 36bb4a3f71..c31405c89d 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2181,7 +2181,7 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 	}
 
 	result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS || active > now) {
 		return (ISC_R_UNEXPECTED);
 	}