On Mon, Jan 26, 2015 at 09:08:36PM -0500, John wrote:
There appear to be time differences between the records reported by DIG and the source records on file.
Dig does not and cannot report the activation and inactivation time, so it is hard to see how one might expect anything in dig output to agree with either time.
RRsigs report the signature validity interval which should start some time after activation, and though generally will end before inactivation, may even end after inactivation, if the key inactivation time was set (as in Carsten's notes) sufficiently close to that date, that existing RRsigs may already be in place that outlive the key inactivation.
The initial time of an RRsig will never be outside (activation, inactivation) interval, but the final time may lie just beyond.