From 74d2e7704fee7d1fa5e47615b29d1ef35b41dd9e Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 6 May 2022 16:56:13 +0200
Subject: [PATCH] Update signatures-refresh documentation

Mention in the ARM the new restriction about signatures-refresh.
---
 doc/arm/reference.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 11a3467a6c..7214c1fe46 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5351,7 +5351,9 @@ The following options can be specified in a ``dnssec-policy`` statement:
     refreshed.  The signature is renewed when the time until the
     expiration time is less than the specified interval.  The default is
     ``P5D`` (5 days), meaning signatures that expire in 5 days or sooner
-    are refreshed.
+    are refreshed. The ``signatures-refresh`` value must be less than
+    90% of the minimum value of ``signatures-validity`` and
+    ``signatures-validity-dnskey``.
 
   ``signatures-validity``
     This indicates the validity period of an RRSIG record (subject to