Merge branch '4510-doc-key-lifetime-too-short-9.18' into 'bind-9.18'

[9.18] Fix ZSK lifetime minimum constraints documentation See merge request isc-projects/bind9!8671
2024-01-25 14:09:09 +00:00
parent f132740869 066b31667a
commit 98db8d9b4c
2 changed files with 8 additions and 4 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+6328.	[doc]		Update ZSK minimum lifetime documentation in ARM, also
+			depends on signing delay. [GL #4510]
+
 6326.	[func]		Add workaround to enforce dynamic linker to pull
 			jemalloc earlier than libc to ensure all memory
 			allocations are done via jemalloc. [GL #4404]
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6444,10 +6444,11 @@ The following options can be specified in a :any:`dnssec-policy` statement:
    must be more than the publication interval (which is the sum of
    :any:`dnskey-ttl`, :any:`publish-safety`, and :any:`zone-propagation-delay`).
    It must also be more than the retire interval (which is the sum of
-    :any:`max-zone-ttl`, :any:`retire-safety` and :any:`zone-propagation-delay`
-    for ZSKs, and the sum of :any:`parent-ds-ttl`, :any:`retire-safety`, and
-    :any:`parent-propagation-delay` for KSKs and CSKs). BIND 9 treats a key
-    lifetime that is too short as an error.
+    :any:`max-zone-ttl`, :any:`retire-safety`, :any:`zone-propagation-delay`,
+    and signing delay (:any:`signatures-validity` minus
+    :any:`signatures-refresh`) for ZSKs, and the sum of :any:`parent-ds-ttl`,
+    :any:`retire-safety`, and :any:`parent-propagation-delay` for KSKs and
+    CSKs). BIND 9 treats a key lifetime that is too short as an error.

    The ``algorithm`` parameter specifies the key's algorithm, expressed
    either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal