diff --git a/doc/reference.texi b/doc/reference.texi
index 2d96346115e634884db6cd92e326223d54ae7323..6e59b874be32cb69438fff11011e8533b2c3d270 100644
--- a/doc/reference.texi
+++ b/doc/reference.texi
@@ -720,6 +720,7 @@ The @code{zones} statement contains definition of zones served by Knot DNS.
[ @code{dnssec-keydir} @code{"}@kbd{string}@code{"}@code{;} ]
[ @code{dnssec-enable} ( @code{on} | @code{off} )@code{;} ]
[ @code{signature-lifetime} ( @kbd{integer} | @kbd{integer}(@code{s} | @code{m} | @code{h} | @code{d})@code{;} ) ]
+ [ @code{serial-policy} ( increment | unixtime ); ]
@end example
@node zones Statement Definition and Grammar
@@ -744,6 +745,7 @@ The @code{zones} statement contains definition of zones served by Knot DNS.
* dnssec-keydir::
* dnssec-enable::
* signature-lifetime::
+* serial-policy::
@end menu
@node zone_id
@@ -906,6 +908,26 @@ hour. For information about zone expiration date, invoke the
Default value: @kbd{30d} (@kbd{2592000})
+@node serial-policy
+@subsubsection serial-policy
+@vindex serial-policy
+
+Specifies how the zone serial is updated after DDNS (dynamic update) and
+automatic DNSSEC signing. If the serial is changed by the dynamic update, no
+change is made.
+
+increment - After update or signing, the serial is automatically incremented
+(according to serial number arithmetic).
+
+unixtime - After update or signing, serial is set to the current unix time.
+
+@strong{Warning:} If your serial was in other than unix time format, be careful with
+transition to unix time. It may happen that the new serial will be 'lower' than
+the old one. If this is the case, the transition should be done by hand (consult:
+ http://www.zytrax.com/books/dns/ch9/serial.html).
+
+Default value: increment
+
@node zones Example
@subsection zones Example
@@ -925,6 +947,7 @@ zones @{
dnssec-enable on;
dnssec-keydir "keys";
signature-lifetime 60d;
+ serial-policy increment;
example.com @{
storage "samples";
file "example.com.zone";
@@ -937,6 +960,7 @@ zones @{
dnssec-keydir "keys";
dnssec-enable off;
signature-lifetime 30d;
+ serial-policy increment;
xfr-in server0;
xfr-out server0, server1;
notify-in server0;
diff --git a/man/knot.conf.5.in b/man/knot.conf.5.in
index 2aaaa4fbade1841baa3960698a4e53b637c42e84..cb776acaa73bfba730652cb28c3ea59e1bc7cdf3 100644
--- a/man/knot.conf.5.in
+++ b/man/knot.conf.5.in
@@ -274,6 +274,11 @@ serves as an example of the configuration for knotc(8) and knotd(8).
# signatures expires in 7200 seconds or less and it was chosen as a
# reasonable value with regard to signing overhead.
signature-lifetime 30d;
+
+ # Serial policy after DDNS and automatic DNSSEC signing.
+ # Possible values: increment | unixtime
+ # Default value: increment
+ serial-policy increment;
# Zone entry
#
@@ -346,6 +351,11 @@ serves as an example of the configuration for knotc(8) and knotd(8).
# reasonable value with regard to signing overhead.
signature-lifetime 30d;
+ # Serial policy after DDNS and automatic DNSSEC signing.
+ # Possible values: increment | unixtime
+ # Default value: increment
+ serial-policy increment;
+
# XFR master server
xfr-in server0;
diff --git a/samples/knot.full.conf b/samples/knot.full.conf
index ceb9d8c8808a013d28177e9bc454566e2b636fca..fb6124811700461902a18fa057eae2f0cc653fd9 100644
--- a/samples/knot.full.conf
+++ b/samples/knot.full.conf
@@ -269,6 +269,11 @@ zones {
# reasonable value with regard to signing overhead.
# signature-lifetime 30d;
+ # Serial policy after DDNS and automatic DNSSEC signing.
+ # Possible values: increment | unixtime
+ # Default value: increment
+ # serial-policy increment;
+
# Zone entry
#
# Format: <zone-name> { file "<path-to-zone-file>"; }
@@ -340,6 +345,11 @@ zones {
# reasonable value with regard to signing overhead.
# signature-lifetime 30d;
+ # Serial policy after DDNS and automatic DNSSEC signing.
+ # Possible values: increment | unixtime
+ # Default value: increment
+ # serial-policy increment;
+
# XFR master server
xfr-in server0;