From: Mark Andrews Date: Thu, 2 Sep 2021 05:28:45 +0000 (+1000) Subject: Update sig-validity-interval description X-Git-Tag: v9.17.18~4^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e65ce00f11ac0a1f59b50875efcc98f2dc3728c8;p=thirdparty%2Fbind9.git Update sig-validity-interval description Document that the interval on new RRSIG records is randomally chosen between the limits specified by sig-validity-interval. document the operatations when this occurs. --- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 10420d4a48b..e18500d48ca 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3438,15 +3438,22 @@ Tuning This sets the base retry interval in milliseconds. The default is ``800``. ``sig-validity-interval`` - This specifies the number of days into the future that DNSSEC signatures - that are automatically generated as a result of dynamic updates - (:ref:`dynamic_update`) will expire. There is an optional second - field which specifies how long before expiry the signatures are - regenerated. If not specified, the signatures are regenerated - at 1/4 of the base interval. The second field is specified in days if the - base interval is greater than 7 days; otherwise it is specified in - hours. The default base interval is ``30`` days, giving a re-signing - interval of 7 1/2 days. The maximum value is 10 years (3660 days). + this specifies the upper bound of the number of days that RRSIGs + generated by ``named`` are valid; the default is ``30`` days, + with a maximum of 3660 days (10 years). The optional second value + specifies the minimum bound on those RRSIGs and also determines + how long before expiry ``named`` starts regenerating those RRSIGs. + The default value for the lower bound is 1/4 of the upper bound; + it is expressed in days if the upper bound is greater than 7, + and hours if it is less than or equal to 7 days. + + When new RRSIGs are generated, the length of time is randomly + chosen between these two limits, to spread out the re-signing + load. When RRSIGs are re-generated, the upper bound is used, with + a small amount of jitter added. New RRSIGs are generated by a + number of processes, including the processing of UPDATE requests + (ref:`dynamic_update`), the addition and removal of records via + in-line signing, and the initial signing of a zone. The signature inception time is unconditionally set to one hour before the current time, to allow for a limited amount of clock skew.