Clarify dnssec-signzone interval option

There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

(cherry picked from commit ae42fa69fa1b1b19bdfa3c1957f8ca8fec005a24)

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index ec4cc2d0a2eb161c191fba91b7fea488229ec994..072439b10979e100e0f371428f91ab205ca24d1e 100644 (file)
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -183,6 +183,11 @@ Options
    days. Therefore, if any existing RRSIG records are due to expire in
    less than 7.5 days, they are replaced.
 
+   Note that the calculation of cycle interval is based upon the validity
+   period of the replacement signatures that would be generated by
+   ``dnssec-signzone``, not on the valid lifetimes of the input RRSIGs being
+   considered for pre-expiry replacement.
+
 .. option:: -I input-format
 
    This option sets the format of the input zone file. Possible formats are