From 8e4c0329c3a61239e023926a73591029168ea7a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 7 May 2024 13:11:03 +0200 Subject: [PATCH] Mention RFC 9276 Guidance for NSEC3 Parameter Settings Draft was eventually published as RFC 9276 but we did not update our docs. Also add couple mentions in relevant places in the ARM and dnssec-signzone man page, mainly around "do not touch" places. --- bin/dnssec/dnssec-signzone.rst | 3 +++ doc/arm/general.rst | 2 ++ doc/arm/reference.rst | 2 +- doc/dnssec-guide/advanced-discussions.rst | 8 +++----- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 21a9152f85..5c2f1d6b45 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -374,6 +374,7 @@ Options .. note:: ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits. + See :rfc:`9276`. .. option:: -H iterations @@ -382,6 +383,7 @@ Options .. warning:: Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. + See :rfc:`9276`. .. option:: -A @@ -390,6 +392,7 @@ Options .. warning:: Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations. + See :rfc:`9276`. .. option:: -AA diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 23b35ffd8a..9fba98b36d 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -332,6 +332,8 @@ Locally-Served DNS Zones Registry.* May 2016. :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS Servers: Failure to Communicate.* September 2020. +:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022. + For Your Information -------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index aab79e9064..5253ee1a86 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6555,7 +6555,7 @@ The following options can be specified in a :any:`dnssec-policy` statement: Do not use extra :term:`iterations `, :term:`salt `, and :term:`opt-out ` unless their implications are fully understood. A higher number of iterations causes interoperability problems and opens - servers to CPU-exhausting DoS attacks. + servers to CPU-exhausting DoS attacks. See :rfc:`9276`. .. namedconf:statement:: zone-propagation-delay :tags: dnssec, zone diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst index 97438b8354..984435e5f4 100644 --- a/doc/dnssec-guide/advanced-discussions.rst +++ b/doc/dnssec-guide/advanced-discussions.rst @@ -271,7 +271,7 @@ NSEC3PARAM .. warning:: Before we dive into the details of NSEC3 parametrization, please note: the defaults should not be changed without a strong justification and a full - understanding of the potential impact. + understanding of the potential impact. See :rfc:`9276`. The above NSEC3 examples used four parameters: 1, 0, 0, and zero-length salt. 1 represents the algorithm, 0 represents the opt-out @@ -315,7 +315,7 @@ NSEC3 Opt-Out +++++++++++++ First things first: For most DNS administrators who do not manage a huge number -of insecure delegations, the NSEC3 opt-out featuere is not relevant. +of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`. Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3 record. In other words, use of the opt-out allows large registries to only sign as @@ -370,9 +370,7 @@ NSEC3 Salt The properties of this extra salt are complicated and beyond scope of this document. For detailed description why the salt in the context of DNSSEC -provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version -10 section 2.4 -`__. +provides little value please see :rfc:`9276`. .. _advanced_discussions_nsec_or_nsec3: