Merge branch 'pspacek/doc-rfc-ref-update' into 'main'

Update RFC references in documentation

See merge request isc-projects/bind9!9020

bin/dnssec/dnssec-signzone.rst

@@ -273,7 +273,7 @@ Options
    with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces
    :program:`dnssec-signzone` to remove signatures from keys that are no longer
    active. This enables ZSK rollover using the procedure described in
-   :rfc:`4641#4.2.1.1` ("Pre-Publish Key Rollover").
+   :rfc:`6781#4.1.1.1` ("Pre-Publish Key Rollover").
 
 .. option:: -q
 
@@ -290,7 +290,7 @@ Options
    This option is similar to :option:`-Q`, except it forces
    :program:`dnssec-signzone` to remove signatures from keys that are no longer
    published. This enables ZSK rollover using the procedure described in
-   :rfc:`4641#4.2.1.2` ("Double Signature Zone Signing Key
+   :rfc:`6781#4.1.1.2` ("Double Signature Zone Signing Key
    Rollover").
 
 .. option:: -S
@@ -374,6 +374,7 @@ Options
 
    .. note::
       ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits.
+      See :rfc:`9276`.
 
 .. option:: -H iterations
 
@@ -382,6 +383,7 @@ Options
 
    .. warning::
       Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks.
+      See :rfc:`9276`.
 
 .. option:: -A
 
@@ -390,6 +392,7 @@ Options
 
    .. warning::
       Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations.
+      See :rfc:`9276`.
 
 .. option:: -AA
 
@@ -443,4 +446,4 @@ See Also
 ~~~~~~~~
 
 :iscman:`dnssec-keygen(8) <dnssec-keygen>`, BIND 9 Administrator Reference Manual, :rfc:`4033`,
-:rfc:`4641`.
+:rfc:`6781`.

doc/arm/catz.inc.rst

@@ -25,10 +25,7 @@ changes are immediately put into effect. Because the catalog zone is a
 normal DNS zone, these configuration changes can be propagated using the
 standard AXFR/IXFR zone transfer mechanism.
 
-Catalog zones' format and behavior are specified as an Internet draft
-for interoperability among DNS implementations. The
-latest revision of the DNS catalog zones draft can be found here:
-https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/ .
+Catalog zones' format and behavior are specified as :rfc:`9432`.
 
 Principle of Operation
 ~~~~~~~~~~~~~~~~~~~~~~

doc/arm/general.rst

@@ -285,6 +285,9 @@ Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_
 :rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).*
 October 2018. [#noencryptedfwd]_
 
+:rfc:`8509` - G. Huston, J. Damas, W. Kumari. *A Root Key Trust Anchor Sentinel
+for DNSSEC.* December 2018.
+
 :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
 and Usage Guidance for DNSSEC.* June 2019.
 
@@ -303,6 +306,9 @@ November 2020.
 :rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin.
 *DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_
 
+:rfc:`9432` - P. van Dijk, L. Peltan, O. Sury, W. Toorop, C.R. Monshouwer,
+P. Thomassen, A. Sargsyan. *DNS Catalog Zones.* July 2023.
+
 :rfc:`9460` - B. Schwartz, M. Bishop and E. Nygren, *Service Binding and
 Parameter Specification via the DNS (SVCB and HTTPS Resource Records).*
 November 2023.
@@ -332,6 +338,8 @@ Locally-Served DNS Zones Registry.* May 2016.
 :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
 Servers: Failure to Communicate.* September 2020.
 
+:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022.
+
 For Your Information
 --------------------
 

doc/arm/reference.rst

@@ -2101,7 +2101,7 @@ Boolean Options
    :short: Controls whether BIND 9 responds to root key sentinel probes.
 
    If ``yes``, respond to root key sentinel probes as described in
-   `draft-ietf-dnsop-kskroll-sentinel-08 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-kskroll-sentinel-08>`_. The default is ``yes``.
+   :rfc:`8509`:. The default is ``yes``.
 
 .. namedconf:statement:: reuseport
    :tags: server
@@ -6555,7 +6555,7 @@ The following options can be specified in a :any:`dnssec-policy` statement:
        Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
        :term:`opt-out <Opt-out>` unless their implications are fully understood.
        A higher number of iterations causes interoperability problems and opens
-       servers to CPU-exhausting DoS attacks.
+       servers to CPU-exhausting DoS attacks. See :rfc:`9276`.
 
 .. namedconf:statement:: zone-propagation-delay
    :tags: dnssec, zone

doc/dnssec-guide/advanced-discussions.rst

@@ -271,7 +271,7 @@ NSEC3PARAM
 .. warning::
    Before we dive into the details of NSEC3 parametrization, please note:
    the defaults should not be changed without a strong justification and a full
-   understanding of the potential impact.
+   understanding of the potential impact. See :rfc:`9276`.
 
 The above NSEC3 examples used four parameters: 1, 0, 0, and
 zero-length salt. 1 represents the algorithm, 0 represents the opt-out
@@ -315,7 +315,7 @@ NSEC3 Opt-Out
 +++++++++++++
 
 First things first: For most DNS administrators who do not manage a huge number
-of insecure delegations, the NSEC3 opt-out featuere is not relevant.
+of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`.
 
 Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3
 record. In other words, use of the opt-out allows large registries to only sign as
@@ -370,9 +370,7 @@ NSEC3 Salt
 
 The properties of this extra salt are complicated and beyond scope of this
 document. For detailed description why the salt in the context of DNSSEC
-provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version
-10 section 2.4
-<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-2.4>`__.
+provides little value please see :rfc:`9276`.
 
 .. _advanced_discussions_nsec_or_nsec3: