diff --git a/doc/arm/dnssec-guide.rst b/doc/arm/dnssec-guide.rst
index 0c28849de8..c3a9a0a3a4 100644
--- a/doc/arm/dnssec-guide.rst
+++ b/doc/arm/dnssec-guide.rst
@@ -9,6 +9,8 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
+.. _dnssec_guide:
+
 DNSSEC Guide
 ============
 
diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst
index 1d051270f1..818c7e2681 100644
--- a/doc/dnssec-guide/introduction.rst
+++ b/doc/dnssec-guide/introduction.rst
@@ -219,7 +219,7 @@ trust one key: the root key.
 .. _dnssec_12_steps:
 
 The 12-Step DNSSEC Validation Process (Simplified)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The following example shows the 12 steps of the DNSSEC validating process 
 at a very high level, looking up the name ``www.isc.org`` :
@@ -306,7 +306,7 @@ at a very high level, looking up the name ``www.isc.org`` :
 .. _chain_of_trust:
 
 Chain of Trust
-^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~
 
 But what about the root server itself? Who do we go to verify root's
 keys? There's no parent zone for root. In security, you have to trust