diff --git a/doc/reference.texi b/doc/reference.texi
index 2cb65edba5ea711378ee2af6c237dd78b011fb9a..29568270bf4d16a93eb2b8e96544f6b09d238f07 100644
--- a/doc/reference.texi
+++ b/doc/reference.texi
@@ -884,9 +884,15 @@ Default value: not set
 @subsubsection signature-lifetime
 @vindex signature-lifetime
 
-Specifies how long should the automatically generated DNSSEC signatures be valid. Expiration will thus be set as current time (in the moment of signing) + @code{signature-lifetime}.
-Possible values are from 7201 to INT_MAX. The lower limit is because the server will trigger resign when any of the signatures expires in 7200 seconds or less. For information about zone 
-expiration date, invoke the @code{knotc zonestatus} command.
+Specifies how long should the automatically generated DNSSEC signatures be valid.
+Expiration will thus be set as current time (in the moment of signing)
++ @code{signature-lifetime}.
+Possible values are from 10801 to INT_MAX. The lower limit is because the server
+will trigger resign when any of the signatures expires in 7200 seconds or less
+and it was chosen as a reasonable value with regard to signing overhead. Setting
+the signature lifetime to minimum value will result in re-signing the zone each
+hour. For information about zone expiration date, invoke the
+@code{knotc zonestatus} command.
 
 Default value: @kbd{30d} (@kbd{2592000})
 
diff --git a/man/knot.conf.5.in b/man/knot.conf.5.in
index b3b5400d8fb5056f1872d5ee59f1f92c33ebad59..7e85e43c6713ab2db44aa3fd93cd81e5514d5fbb 100644
--- a/man/knot.conf.5.in
+++ b/man/knot.conf.5.in
@@ -266,12 +266,13 @@ serves as an example of the configuration for knotc(8) and knotd(8).
   dnssec-keydir "keys";
 
   # Validity period for DNSSEC signatures
-  # Possible values: <7201..INT_MAX> (seconds)
+  # Possible values: <10801..INT_MAX> (seconds)
   # Default value: 30d (30 days or 2592000 seconds)
   # It is also possible to suffix with unit size [s/m/h/d]
   # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
   # The lower limit is because the server will trigger resign when any of the
-  # signatures expires in 7200 seconds or less.
+  # signatures expires in 7200 seconds or less and it was chosen as a 
+  # reasonable value with regard to signing overhead.
   signature-lifetime 30d;
 
   # Zone entry
@@ -328,12 +329,13 @@ serves as an example of the configuration for knotc(8) and knotd(8).
     dnssec-enable off;
 
     # Validity period for DNSSEC signatures
-    # Possible values: (7200..INT_MAX> (seconds)
+    # Possible values: <10801..INT_MAX> (seconds)
     # Default value: 30d (30 days or 2592000 seconds)
     # It is also possible to suffix with unit size [s/m/h/d]
     # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
     # The lower limit is because the server will trigger resign when any of the
-    # signatures expires in 7200 seconds or less.
+    # signatures expires in 7200 seconds or less and it was chosen as a
+    # reasonable value with regard to signing overhead.
     signature-lifetime 30d;
 
     # XFR master server
diff --git a/samples/knot.full.conf b/samples/knot.full.conf
index e7f7b5bfc0d0284c9a14127c9ef6c8993a2cde65..c334b975fbe84f94250f3d5213c0a599420c104e 100644
--- a/samples/knot.full.conf
+++ b/samples/knot.full.conf
@@ -260,12 +260,13 @@ zones {
   # dnssec-keydir "keys";
 
   # Validity period for DNSSEC signatures
-  # Possible values: (7200..INT_MAX> (seconds)
+  # Possible values: <10801..INT_MAX> (seconds)
   # Default value: 30d (30 days or 2592000 seconds)
   # It is also possible to suffix with unit size [s/m/h/d]
   # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
   # The lower limit is because the server will trigger resign when any of the
-  # signatures expires in less than 7200 seconds.
+  # signatures expires in less than 7200 seconds and it was chosen as a 
+  # reasonable value with regard to signing overhead.
   # signature-lifetime 30d;
 
   # Zone entry
@@ -322,12 +323,13 @@ zones {
     # dnssec-enable on;
 
     # Validity period for DNSSEC signatures
-    # Possible values: (7200..INT_MAX> (seconds)
+    # Possible values: <10801..INT_MAX> (seconds)
     # Default value: 30d (30 days or 2592000 seconds)
     # It is also possible to suffix with unit size [s/m/h/d]
     # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
     # The lower limit is because the server will trigger resign when any of the
-    # signatures expires in 7200 seconds or less.
+    # signatures expires in 7200 seconds or less and it was chosen as a 
+    # reasonable value with regard to signing overhead.
     # signature-lifetime 30d;
 
     # XFR master server
diff --git a/src/knot/conf/cf-parse.y b/src/knot/conf/cf-parse.y
index e1e0c436f02dd18eeb2199c4c8276650bede7f27..4843f23837086d0660513a6edb8296c9b6af0a93 100644
--- a/src/knot/conf/cf-parse.y
+++ b/src/knot/conf/cf-parse.y
@@ -950,10 +950,10 @@ zone:
    }
  | zone DNSSEC_ENABLE BOOL ';' { this_zone->dnssec_enable = $3.i; }
  | zone SIGNATURE_LIFETIME NUM ';' {
-	SET_NUM(this_zone->sig_lifetime, $3.i, 7200, INT_MAX, "signature-lifetime");
+	SET_NUM(this_zone->sig_lifetime, $3.i, 10800, INT_MAX, "signature-lifetime");
  }
  | zone SIGNATURE_LIFETIME INTERVAL ';' {
-	SET_NUM(this_zone->sig_lifetime, $3.i, 7200, INT_MAX, "signature-lifetime");
+	SET_NUM(this_zone->sig_lifetime, $3.i, 10800, INT_MAX, "signature-lifetime");
  }
  ;
 
@@ -984,10 +984,10 @@ zones:
  | zones DNSSEC_ENABLE BOOL ';' { new_config->dnssec_enable = $3.i; }
  | zones DNSSEC_KEYDIR TEXT ';' { new_config->dnssec_keydir = $3.t; }
  | zones SIGNATURE_LIFETIME NUM ';' {
-	SET_NUM(new_config->sig_lifetime, $3.i, 7200, INT_MAX, "signature-lifetime");
+	SET_NUM(new_config->sig_lifetime, $3.i, 10800, INT_MAX, "signature-lifetime");
  }
  | zones SIGNATURE_LIFETIME INTERVAL ';' {
-	SET_NUM(new_config->sig_lifetime, $3.i, 7200, INT_MAX, "signature-lifetime");
+	SET_NUM(new_config->sig_lifetime, $3.i, 10800, INT_MAX, "signature-lifetime");
  }
  ;