diff --git a/doc/arm/config-intro.inc.rst b/doc/arm/config-intro.inc.rst
index d041eccf5f..f947662522 100644
--- a/doc/arm/config-intro.inc.rst
+++ b/doc/arm/config-intro.inc.rst
@@ -104,7 +104,7 @@ features where appropriate.  Zone files consist of :ref:`Resource Records (RR)
                                         2003080800 ; serial number
                                         12h        ; refresh
                                         15m        ; update retry
-                                        3w         ; expiry
+                                        4d         ; expiry
                                         2h         ; minimum
                                         )
         ; name server RR for the domain
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 293e7ca581..88a44045ba 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6642,6 +6642,10 @@ keys
     This indicates the validity period of an RRSIG record (subject to
     inception offset and jitter). The default is ``P2W`` (2 weeks).
 
+    The :any:`signatures-validity` should be at least several multiples
+    of the SOA expire interval, to allow for reasonable interaction between
+    the various timer and expiry dates.
+
 .. namedconf:statement:: signatures-validity-dnskey
    :tags: dnssec
    :short: Indicates the validity period of DNSKEY records.