From c47735b86bb7cc65591b8203efb291f67eedeaf1 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 20 Jun 2022 11:08:51 +0200 Subject: [PATCH] Document what is a too short key lifetime To give a hint to users that get an error that the key lifetime is shorter than the time it takes to do a rollover. --- doc/arm/reference.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 734c5166b7..54ca960b67 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -5324,9 +5324,15 @@ The following options can be specified in a ``dnssec-policy`` statement: ``unlimited``. Note that the lifetime of a key may be extended if retiring it too - soon would cause validation failures. For example, if the key were - configured to roll more frequently than its own TTL, its lifetime - would automatically be extended to account for this. + soon would cause validation failures. The key lifetime must be + longer than the time it takes to do a rollover; that is, the lifetime + must be more than the publication interval (which is the sum of + ``dnskey-ttl``, ``publish-safety``, and ``zone-propagation-delay``). + It must also be more than the retire interval (which is the sum of + ``max-zone-ttl``, ``retire-safety`` and ``zone-propagation-delay`` + for ZSKs, and the sum of ``parent-ds-ttl``, ``retire-safety``, and + ``parent-propagation-delay`` for KSKs and CSKs). BIND 9 treats a key + lifetime that is too short as an error. The ``algorithm`` parameter specifies the key's algorithm, expressed either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal