From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 20 Jun 2022 09:08:51 +0000 (+0200)
Subject: Document what is a too short key lifetime
X-Git-Tag: v9.19.3~34^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c47735b86bb7cc65591b8203efb291f67eedeaf1;p=thirdparty%2Fbind9.git

Document what is a too short key lifetime

To give a hint to users that get an error that the key lifetime is
shorter than the time it takes to do a rollover.
---

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 734c5166b76..54ca960b677 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5324,9 +5324,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
     ``unlimited``.
 
     Note that the lifetime of a key may be extended if retiring it too
-    soon would cause validation failures.  For example, if the key were
-    configured to roll more frequently than its own TTL, its lifetime
-    would automatically be extended to account for this.
+    soon would cause validation failures. The key lifetime must be
+    longer than the time it takes to do a rollover; that is, the lifetime
+    must be more than the publication interval (which is the sum of
+    ``dnskey-ttl``, ``publish-safety``, and ``zone-propagation-delay``).
+    It must also be more than the retire interval (which is the sum of
+    ``max-zone-ttl``, ``retire-safety`` and ``zone-propagation-delay``
+    for ZSKs, and the sum of ``parent-ds-ttl``, ``retire-safety``, and
+    ``parent-propagation-delay`` for KSKs and CSKs). BIND 9 treats a key
+    lifetime that is too short as an error.
 
     The ``algorithm`` parameter specifies the key's algorithm, expressed
     either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal