diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index cee11a2db0..0d25db5d3f 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -86,6 +86,16 @@ static const char *keystatetags[NUM_KEYSTATES] = { "DNSKEY", "ZRRSIG", "KRRSIG",
 static const char *keystatestrings[4] = { "HIDDEN", "RUMOURED", "OMNIPRESENT",
 					  "UNRETENTIVE" };
 
+static void
+log_key_overflow(dst_key_t *key, const char *what) {
+	char keystr[DST_KEY_FORMATSIZE];
+	dst_key_format(key, keystr, sizeof(keystr));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC,
+		      ISC_LOG_WARNING,
+		      "keymgr: DNSKEY %s (%s) calculation overflowed", keystr,
+		      what);
+}
+
 /*
  * Print key role.
  *
@@ -299,6 +309,7 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		}
 
 		if (ISC_OVERFLOW_ADD(active, klifetime, &retire)) {
+			log_key_overflow(key->key, "retire");
 			retire = UINT32_MAX;
 		}
 		dst_key_settime(key->key, DST_TIME_INACTIVE, retire);
@@ -403,6 +414,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 			uint32_t inactive;
 			(void)dst_key_gettime(key->key, DST_TIME_ACTIVATE, &a);
 			if (ISC_OVERFLOW_ADD(a, lifetime, &inactive)) {
+				log_key_overflow(key->key, "inactive");
 				inactive = UINT32_MAX;
 			}
 			dst_key_settime(key->key, DST_TIME_INACTIVE, inactive);
@@ -1883,6 +1895,7 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
 		uint32_t inactive;
 
 		if (ISC_OVERFLOW_ADD(active, lifetime, &inactive)) {
+			log_key_overflow(new_key->key, "inactive");
 			inactive = UINT32_MAX;
 		}
 		dst_key_settime(new_key->key, DST_TIME_INACTIVE, inactive);