diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 21a9152f85..5c2f1d6b45 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -374,6 +374,7 @@ Options .. note:: ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits. + See :rfc:`9276`. .. option:: -H iterations @@ -382,6 +383,7 @@ Options .. warning:: Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. + See :rfc:`9276`. .. option:: -A @@ -390,6 +392,7 @@ Options .. warning:: Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations. + See :rfc:`9276`. .. option:: -AA diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 23b35ffd8a..9fba98b36d 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -332,6 +332,8 @@ Locally-Served DNS Zones Registry.* May 2016. :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS Servers: Failure to Communicate.* September 2020. +:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022. + For Your Information -------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index aab79e9064..5253ee1a86 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6555,7 +6555,7 @@ The following options can be specified in a :any:`dnssec-policy` statement: Do not use extra :term:`iterations `, :term:`salt `, and :term:`opt-out ` unless their implications are fully understood. A higher number of iterations causes interoperability problems and opens - servers to CPU-exhausting DoS attacks. + servers to CPU-exhausting DoS attacks. See :rfc:`9276`. .. namedconf:statement:: zone-propagation-delay :tags: dnssec, zone diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst index 97438b8354..984435e5f4 100644 --- a/doc/dnssec-guide/advanced-discussions.rst +++ b/doc/dnssec-guide/advanced-discussions.rst @@ -271,7 +271,7 @@ NSEC3PARAM .. warning:: Before we dive into the details of NSEC3 parametrization, please note: the defaults should not be changed without a strong justification and a full - understanding of the potential impact. + understanding of the potential impact. See :rfc:`9276`. The above NSEC3 examples used four parameters: 1, 0, 0, and zero-length salt. 1 represents the algorithm, 0 represents the opt-out @@ -315,7 +315,7 @@ NSEC3 Opt-Out +++++++++++++ First things first: For most DNS administrators who do not manage a huge number -of insecure delegations, the NSEC3 opt-out featuere is not relevant. +of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`. Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3 record. In other words, use of the opt-out allows large registries to only sign as @@ -370,9 +370,7 @@ NSEC3 Salt The properties of this extra salt are complicated and beyond scope of this document. For detailed description why the salt in the context of DNSSEC -provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version -10 section 2.4 -`__. +provides little value please see :rfc:`9276`. .. _advanced_discussions_nsec_or_nsec3: