Mention RFC 9276 Guidance for NSEC3 Parameter Settings

Draft was eventually published as RFC 9276 but we did not update our docs. Also add couple mentions in relevant places in the ARM and dnssec-signzone man page, mainly around "do not touch" places. (cherry picked from commit 8e4c0329c3)
2024-05-07 13:11:03 +02:00
parent 7817a483a4
commit f148d39a9b
4 changed files with 9 additions and 6 deletions
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -364,6 +364,7 @@ Options

   .. note::
      ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits.
+      See :rfc:`9276`.

 .. option:: -H iterations

@@ -372,6 +373,7 @@ Options

   .. warning::
      Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks.
+      See :rfc:`9276`.

 .. option:: -A

@@ -380,6 +382,7 @@ Options

   .. warning::
      Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations.
+      See :rfc:`9276`.

 .. option:: -AA

--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -332,6 +332,8 @@ Locally-Served DNS Zones Registry.* May 2016.
 :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
 Servers: Failure to Communicate.* September 2020.

+:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022.
+
 For Your Information
 --------------------

--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6586,7 +6586,7 @@ The following options can be specified in a :any:`dnssec-policy` statement:
       Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
       :term:`opt-out <Opt-out>` unless their implications are fully understood.
       A higher number of iterations causes interoperability problems and opens
-       servers to CPU-exhausting DoS attacks.
+       servers to CPU-exhausting DoS attacks. See :rfc:`9276`.

 .. namedconf:statement:: zone-propagation-delay
   :tags: dnssec, zone
--- a/doc/dnssec-guide/advanced-discussions.rst
+++ b/doc/dnssec-guide/advanced-discussions.rst
@@ -271,7 +271,7 @@ NSEC3PARAM
 .. warning::
   Before we dive into the details of NSEC3 parametrization, please note:
   the defaults should not be changed without a strong justification and a full
-   understanding of the potential impact.
+   understanding of the potential impact. See :rfc:`9276`.

 The above NSEC3 examples used four parameters: 1, 0, 0, and
 zero-length salt. 1 represents the algorithm, 0 represents the opt-out
@@ -315,7 +315,7 @@ NSEC3 Opt-Out
 +++++++++++++

 First things first: For most DNS administrators who do not manage a huge number
-of insecure delegations, the NSEC3 opt-out featuere is not relevant.
+of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`.

 Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3
 record. In other words, use of the opt-out allows large registries to only sign as
@@ -370,9 +370,7 @@ NSEC3 Salt

 The properties of this extra salt are complicated and beyond scope of this
 document. For detailed description why the salt in the context of DNSSEC
-provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version
-10 section 2.4
-<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-2.4>`__.
+provides little value please see :rfc:`9276`.

 .. _advanced_discussions_nsec_or_nsec3: