warn if signature remain time is too low #399
Description
In https://dotat.at/@/2024-05-11-dnssec-policy.html Tony Finch writes:
The default signatures-refresh is 5 days. It must be at least the zone’s SOA expire timer
plus the max zone TTL, which in my zones is 7 days plus 1 day.
If there is a problem such that a secondary server is unable to refresh its copy of a zone,
we want to ensure that the zone expires before its signatures become invalid, so that the
secondary server does not serve bogus data.
For Cascade, after signing a zone, check if the SOA expire time plus the maximum TTL found in the zone is less than (or equal) to the configured signature remain time(s). If not, warn the user.