From ae42fa69fa1b1b19bdfa3c1957f8ca8fec005a24 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 15 Jan 2025 13:47:48 +0100 Subject: [PATCH] Clarify dnssec-signzone interval option There was confusion about whether the interval was calculated from the validity period provided on the command line (with -s and -e), or from the signature being replaced. Add text to clarify that the interval is calculated from the new validity period. --- bin/dnssec/dnssec-signzone.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 3e1465a43c..fffae1980a 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -174,6 +174,11 @@ Options days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they are replaced. + Note that the calculation of cycle interval is based upon the validity + period of the replacement signatures that would be generated by + ``dnssec-signzone``, not on the valid lifetimes of the input RRSIGs being + considered for pre-expiry replacement. + .. option:: -I input-format This option sets the format of the input zone file. Possible formats are