From 72ad0ed7cf88bf9486a45b1ad6427f9d87bb0192 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 7 Jun 2022 10:23:47 +0200
Subject: [PATCH] Use NSEC3 guidance values in nsec3 config examples

Use best practice values in examples that follow new guidance from
draft-ietf-dnsop-nsec3-guidance:

   ; SHA-1, no extra iterations, empty salt:
   ;
   bcp.example. IN NSEC3PARAM 1 0 0 -

(cherry picked from commit 93601d83251efa13e9818215eadbb774e62551ab)
---
 doc/arm/dnssec.inc.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
index 98c70e0c49..8e87aa4e69 100644
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@@ -160,14 +160,14 @@ To enable ``NSEC3``, add an ``nsec3param`` option to your DNSSEC Policy:
 ::
 
     dnssec-policy "nsec3" {
-        nsec3param iterations 5 optout yes salt-length 8;
+        nsec3param iterations 0 optout no salt-length 0;
     };
 
 ..
 
 The ``nsec3`` policy above creates ``NSEC3`` records using the SHA-1 hash
-algorithm, using 5 iterations and a salt that is 8 characters long. It also
-skips insecure delegations.
+algorithm, using zero extra iterations and no salt. ``optout`` is disabled,
+meaning insecure delegations will also get an ``NSEC3`` record.
 
 The ``NSEC3`` chain is generated and the ``NSEC3PARAM`` record is added before
 the existing ``NSEC`` chain (if any) is destroyed.