new option "dnskey-sig-validity"

- overrides "sig-validity-interval" for DNSKEY, CDNSKEY and CDS RRSIGs

doc/arm/Bv9ARM-book.xml

@@ -8973,6 +8973,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  set to one hour before the current time to allow
 		  for a limited amount of clock skew.
 		</para>
+		<para>
+		  The <command>sig-validity-interval</command> can be
+		  overridden for DNSKEY records by setting
+		  <command>dnskey-sig-validity</command>.
+		</para>
 		<para>
 		  The <command>sig-validity-interval</command>
 		  should be, at least, several multiples of the SOA
@@ -8982,6 +8987,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>dnskey-sig-validity</command></term>
+	      <listitem>
+		<para>
+		  Specifies the number of days into the future when
+		  DNSSEC signatures that are automatically generated
+		  for DNSKEY RRsets as a result of dynamic updates
+		  (<xref linkend="dynamic_update"/>) will expire.
+		  If set to a non-zero value, this overrides the
+		  value set by <command>sig-validity-interval</command>.
+		  The default is zero, meaning
+		  <command>sig-validity-interval</command> is used.
+		  The maximum value is 3660 days (10 years), and
+		  higher values will be rejected.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>sig-signing-nodes</command></term>
 	      <listitem>

doc/arm/notes.xml

@@ -78,6 +78,13 @@
 	  'root-key-sentinel no;' to named.conf.
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The <command>dnskey-sig-validity</command> option allows the
+	  <command>sig-validity-interval</command> to be overriden for
+	  signatures covering DNSKEY RRsets. [GL #145]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>