mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 22:45:39 +00:00
Code Issues Releases Wiki Activity

Update sig-validity-interval description

Browse Source 
Document that the interval on new RRSIG records is randomally
chosen between the limits specified by sig-validity-interval.
document the operatations when this occurs.
This commit is contained in:
Mark Andrews
2021-09-02 15:28:45 +10:00
parent 56d7d6d892
commit e65ce00f11
1 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
doc/arm/reference.rst
View File

@@ -3438,15 +3438,22 @@ Tuning
This sets the base retry interval in milliseconds. The default is ``800``. This sets the base retry interval in milliseconds. The default is ``800``.
``sig-validity-interval`` ``sig-validity-interval``
This specifies the number of days into the future that DNSSEC signatures this specifies the upper bound of the number of days that RRSIGs
that are automatically generated as a result of dynamic updates generated by ``named`` are valid; the default is ``30`` days,
(:ref:`dynamic_update`) will expire. There is an optional second with a maximum of 3660 days (10 years). The optional second value
field which specifies how long before expiry the signatures are specifies the minimum bound on those RRSIGs and also determines
regenerated. If not specified, the signatures are regenerated how long before expiry ``named`` starts regenerating those RRSIGs.
at 1/4 of the base interval. The second field is specified in days if the The default value for the lower bound is 1/4 of the upper bound;
base interval is greater than 7 days; otherwise it is specified in it is expressed in days if the upper bound is greater than 7,
hours. The default base interval is ``30`` days, giving a re-signing and hours if it is less than or equal to 7 days.
interval of 7 1/2 days. The maximum value is 10 years (3660 days).
When new RRSIGs are generated, the length of time is randomly
chosen between these two limits, to spread out the re-signing
load. When RRSIGs are re-generated, the upper bound is used, with
a small amount of jitter added. New RRSIGs are generated by a
number of processes, including the processing of UPDATE requests
(ref:`dynamic_update`), the addition and removal of records via
in-line signing, and the initial signing of a zone.
The signature inception time is unconditionally set to one hour The signature inception time is unconditionally set to one hour
before the current time, to allow for a limited amount of clock skew. before the current time, to allow for a limited amount of clock skew.