This sets the base retry interval in milliseconds. The default is ``800``.
``sig-validity-interval``
- This specifies the number of days into the future that DNSSEC signatures
- that are automatically generated as a result of dynamic updates
- (:ref:`dynamic_update`) will expire. There is an optional second
- field which specifies how long before expiry the signatures are
- regenerated. If not specified, the signatures are regenerated
- at 1/4 of the base interval. The second field is specified in days if the
- base interval is greater than 7 days; otherwise it is specified in
- hours. The default base interval is ``30`` days, giving a re-signing
- interval of 7 1/2 days. The maximum value is 10 years (3660 days).
+ this specifies the upper bound of the number of days that RRSIGs
+ generated by ``named`` are valid; the default is ``30`` days,
+ with a maximum of 3660 days (10 years). The optional second value
+ specifies the minimum bound on those RRSIGs and also determines
+ how long before expiry ``named`` starts regenerating those RRSIGs.
+ The default value for the lower bound is 1/4 of the upper bound;
+ it is expressed in days if the upper bound is greater than 7,
+ and hours if it is less than or equal to 7 days.
+
+ When new RRSIGs are generated, the length of time is randomly
+ chosen between these two limits, to spread out the re-signing
+ load. When RRSIGs are re-generated, the upper bound is used, with
+ a small amount of jitter added. New RRSIGs are generated by a
+ number of processes, including the processing of UPDATE requests
+ (ref:`dynamic_update`), the addition and removal of records via
+ in-line signing, and the initial signing of a zone.
The signature inception time is unconditionally set to one hour
before the current time, to allow for a limited amount of clock skew.
projects / thirdparty / bind9.git / commitdiff
