Clarify dnssec-signzone interval option

There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 3e1465a43c81faa5d5df502cc9651bb2833e8db9..fffae1980a4a4c2a544c739d06f3ce7b29d7eade 100644 (file)
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -174,6 +174,11 @@ Options
    days. Therefore, if any existing RRSIG records are due to expire in
    less than 7.5 days, they are replaced.
 
+   Note that the calculation of cycle interval is based upon the validity
+   period of the replacement signatures that would be generated by
+   ``dnssec-signzone``, not on the valid lifetimes of the input RRSIGs being
+   considered for pre-expiry replacement.
+
 .. option:: -I input-format
 
    This option sets the format of the input zone file. Possible formats are