diff --git a/CHANGES b/CHANGES
index 82e6d24700..7cd2e2f3aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,6 @@
 
+ 944.	[func]		Check for expired signatures on load.
+
  943.	[bug]		The server could crash when receiving a command
  			via rndc if the configuration file listed only
 			nonexistent keys in the controls statement.  [RT #1530]
diff --git a/lib/dns/master.c b/lib/dns/master.c
index 92c3f4099e..f40ad0dead 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.119 2001/06/05 06:34:45 bwelling Exp $ */
+/* $Id: master.c,v 1.120 2001/07/24 18:49:06 bwelling Exp $ */
 
 #include <config.h>
 
@@ -38,6 +38,7 @@
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
 #include <dns/soa.h>
@@ -101,6 +102,7 @@ struct dns_loadctx {
 	isc_boolean_t		ttl_known;
 	isc_boolean_t		default_ttl_known;
 	isc_boolean_t		warn_1035;
+	isc_boolean_t		warn_sigexpired;
 	isc_boolean_t		seen_include;
 	isc_uint32_t		ttl;
 	isc_uint32_t		default_ttl;
@@ -460,6 +462,7 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 	lctx->default_ttl_known = ISC_FALSE;
 	lctx->default_ttl = 0;
 	lctx->warn_1035 = ISC_TRUE;	/* XXX Argument? */
+	lctx->warn_sigexpired = ISC_TRUE;	/* XXX Argument? */
 	lctx->options = options;
 	lctx->seen_include = ISC_FALSE;
 	lctx->zclass = zclass;
@@ -803,6 +806,7 @@ load(dns_loadctx_t *lctx) {
 	const char *source = "";
 	unsigned long line = 0;
 	isc_boolean_t explicit_ttl;
+	isc_stdtime_t now;
 
 	REQUIRE(DNS_LCTX_VALID(lctx));
 	callbacks = lctx->callbacks;
@@ -812,6 +816,8 @@ load(dns_loadctx_t *lctx) {
 	ISC_LIST_INIT(glue_list);
 	ISC_LIST_INIT(current_list);
 
+	isc_stdtime_get(&now);
+
 	/*
 	 * Allocate target_size of buffer space.  This is greater than twice
 	 * the maximum individual RR data size.
@@ -1428,6 +1434,19 @@ load(dns_loadctx_t *lctx) {
 			lctx->warn_1035 = ISC_FALSE;
 		}
 
+		if (type == dns_rdatatype_sig && lctx->warn_sigexpired) {
+			dns_rdata_sig_t sig;
+			(void)dns_rdata_tostruct(&rdata[rdcount], &sig, NULL);
+			if (now > sig.timeexpire) {
+				(*callbacks->warn)(callbacks,
+						   "%s: %s:%lu: "
+						   "signature has expired",
+						   "dns_master_load",
+						   source, line);
+				lctx->warn_sigexpired = ISC_FALSE;
+			}
+		}
+
 		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
 			/*
 			 * Adjust the TTL for $DATE.  If the RR has already