diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go
index 24d0dbdd1..a5ae932af 100644
--- a/builtin/logical/ssh/path_roles.go
+++ b/builtin/logical/ssh/path_roles.go
@@ -67,9 +67,9 @@ func pathRoles(b *backend) *framework.Path {
 			"cidr_list": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `
-				[Required for both types]
+				[Optional for both types]
 				Comma separated list of CIDR blocks for which the role is applicable for.
-				CIDR blocks can belong to more than one role.`,
+				CIDR blocks can belong to more than one role. Defaults to zero-address (0.0.0.0/0)`,
 			},
 			"port": &framework.FieldSchema{
 				Type: framework.TypeInt,
diff --git a/website/source/docs/secrets/ssh/index.html.md b/website/source/docs/secrets/ssh/index.html.md
index 11b308fe5..529e6b7aa 100644
--- a/website/source/docs/secrets/ssh/index.html.md
+++ b/website/source/docs/secrets/ssh/index.html.md
@@ -83,6 +83,8 @@ $ vault write ssh/roles/dynamic_key_role key_type=dynamic key=dev_key admin_user
 Success! Data written to: ssh/roles/dynamic_key_role
 ```
 
+Option `cidr_list` is optional and defaults to zero-address (0.0.0.0/0).
+
 Use the `install_script` option to provide an install script if hosts does not
 resemble typical Linux machine. The default script is compiled into the binary.
 It is straight forward and is shown below. The script takes three arguments which
@@ -434,10 +436,10 @@ username@ip:~$
       </li>
       <li>
         <span class="param">cidr_list</span>
-        <span class="param-flags">required for both types</span>
+        <span class="param-flags">optional for both types</span>
 	(String)
 	Comma separated list of CIDR blocks for which the role is applicable for.
-	CIDR blocks can belong to more than one role.
+	CIDR blocks can belong to more than one role. Defaults to zero-address (0.0.0.0/0).
       </li>
       <li>
         <span class="param">port</span>