diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook
index 1a209be3eb..32848250be 100644
--- a/bin/python/dnssec-keymgr.docbook
+++ b/bin/python/dnssec-keymgr.docbook
@@ -99,6 +99,12 @@
       set by the <option>-K</option> option), and check the keys for
       all the zones represented in the directory.
     </para>
+    <para>
+      Key times that are in the past will not be updated unless
+      the <option>-f</option> is used (see below).  Key inactivation
+      and deletion times that are less than five minutes in the future
+      will be delayed by five minutes.
+    </para>
     <para>
       It is expected that this tool will be run automatically and
       unattended (for example, by <command>cron</command>).
diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
index 74ccc645f8..2f4906f809 100644
--- a/bin/python/isc/keyseries.py.in
+++ b/bin/python/isc/keyseries.py.in
@@ -83,31 +83,36 @@ class keyseries:
             a = now
 
         i = key.inactive()
+        fudge = 300
         if not rp:
             key.setinactive(None, **kwargs)
             key.setdelete(None, **kwargs)
         elif not i or a + rp != i:
-            if not i and a + rp > now + prepub:
+            if not i and a + rp > now + prepub + fudge:
                 key.setinactive(a + rp, **kwargs)
                 key.setdelete(a + rp + postpub, **kwargs)
             elif not i:
-                key.setinactive(now + prepub, **kwargs)
-                key.setdelete(now + prepub + postpub, **kwargs)
+                key.setinactive(now + prepub + fudge, **kwargs)
+                key.setdelete(now + prepub + postpub + fudge, **kwargs)
+            elif i < now:
+                pass
             elif a + rp > i:
                 key.setinactive(a + rp, **kwargs)
                 key.setdelete(a + rp + postpub, **kwargs)
-            elif a + rp > now + prepub:
+            elif a + rp > now + prepub + fudge:
                 key.setinactive(a + rp, **kwargs)
                 key.setdelete(a + rp + postpub, **kwargs)
             else:
-                key.setinactive(now + prepub, **kwargs)
-                key.setdelete(now + prepub + postpub, **kwargs)
+                key.setinactive(now + prepub + fudge, **kwargs)
+                key.setdelete(now + prepub + postpub + fudge, **kwargs)
         else:
             d = key.delete()
-            if not d or i + postpub > now:
+            if not d or i + postpub > now + fudge:
                 key.setdelete(i + postpub, **kwargs)
             elif not d:
-                key.setdelete(now + postpub, **kwargs)
+                key.setdelete(now + postpub + fudge, **kwargs)
+            elif d < now + fudge:
+                pass
             elif d < i + postpub:
                 key.setdelete(i + postpub, **kwargs)