From e36f4b66a3f264fe83c627d2dbbb9c2a94f6a845 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 15 Jan 2025 13:47:48 +0100 Subject: [PATCH] Clarify dnssec-signzone interval option There was confusion about whether the interval was calculated from the validity period provided on the command line (with -s and -e), or from the signature being replaced. Add text to clarify that the interval is calculated from the new validity period. (cherry picked from commit ae42fa69fa1b1b19bdfa3c1957f8ca8fec005a24) --- bin/dnssec/dnssec-signzone.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index ec4cc2d0a2..072439b109 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -183,6 +183,11 @@ Options days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they are replaced. + Note that the calculation of cycle interval is based upon the validity + period of the replacement signatures that would be generated by + ``dnssec-signzone``, not on the valid lifetimes of the input RRSIGs being + considered for pre-expiry replacement. + .. option:: -I input-format This option sets the format of the input zone file. Possible formats are