Documentation: dnssec-policy: Consider emphasising the relationship between signature refresh interval & SOA expire value
Description
Documentation for version 9.18 (& earlier) included "The sig-validity-interval should be at least several multiples of the SOA expire interval, to allow for reasonable interaction between the various timer and expiry dates." (https://bind9.readthedocs.io/en/v9.18.30/reference.html#namedconf-statement-sig-validity-interval).
With sig-validity-interval now obsolete in version 9.20, that phrase has been removed. (https://bind9.readthedocs.io/en/v9.20.2/reference.html#namedconf-statement-sig-validity-interval)
Request
Consider restoring the warning text, perhaps to the dnssec-policy signatures-refresh statement? (https://bind9.readthedocs.io/en/v9.20.2/reference.html#namedconf-statement-signatures-refresh); or mention it within the DNSSEC Zone Signing subchapter.
This feels especially important with the shorter default value used by dnssec-policy (resign at 5 days remaining) compared to sig-validity-interval (resign at 7.5 days remaining)
The example.com zone file given in the "Configurations and Zone Files" chapter (https://bind9.readthedocs.io/en/v9.20.2/chapter3.html#example-com-base-zone-file) has an SOA expire of 3 weeks, which would appear to be well outside the safe window if the default dnssec-policy was applied to it.