diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 668d7f3d85..dcc06fe2be 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -260,7 +260,7 @@ Options with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces :program:`dnssec-signzone` to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in - :rfc:`4641#4.2.1.1` ("Pre-Publish Key Rollover"). + :rfc:`6781#4.1.1.1` ("Pre-Publish Key Rollover"). .. option:: -q @@ -277,7 +277,7 @@ Options This option is similar to :option:`-Q`, except it forces :program:`dnssec-signzone` to remove signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in - :rfc:`4641#4.2.1.2` ("Double Signature Zone Signing Key + :rfc:`6781#4.1.1.2` ("Double Signature Zone Signing Key Rollover"). .. option:: -S @@ -364,6 +364,7 @@ Options .. note:: ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits. + See :rfc:`9276`. .. option:: -H iterations @@ -372,6 +373,7 @@ Options .. warning:: Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. + See :rfc:`9276`. .. option:: -A @@ -380,6 +382,7 @@ Options .. warning:: Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations. + See :rfc:`9276`. .. option:: -AA @@ -433,4 +436,4 @@ See Also ~~~~~~~~ :iscman:`dnssec-keygen(8) `, BIND 9 Administrator Reference Manual, :rfc:`4033`, -:rfc:`4641`. +:rfc:`6781`. diff --git a/doc/arm/catz.inc.rst b/doc/arm/catz.inc.rst index fec0759c3a..c22a6ff078 100644 --- a/doc/arm/catz.inc.rst +++ b/doc/arm/catz.inc.rst @@ -25,10 +25,7 @@ changes are immediately put into effect. Because the catalog zone is a normal DNS zone, these configuration changes can be propagated using the standard AXFR/IXFR zone transfer mechanism. -Catalog zones' format and behavior are specified as an Internet draft -for interoperability among DNS implementations. The -latest revision of the DNS catalog zones draft can be found here: -https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/ . +Catalog zones' format and behavior are specified as :rfc:`9432`. Principle of Operation ~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 23b35ffd8a..09bcaa9725 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -285,6 +285,9 @@ Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ :rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).* October 2018. [#noencryptedfwd]_ +:rfc:`8509` - G. Huston, J. Damas, W. Kumari. *A Root Key Trust Anchor Sentinel +for DNSSEC.* December 2018. + :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements and Usage Guidance for DNSSEC.* June 2019. @@ -303,6 +306,9 @@ November 2020. :rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin. *DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_ +:rfc:`9432` - P. van Dijk, L. Peltan, O. Sury, W. Toorop, C.R. Monshouwer, +P. Thomassen, A. Sargsyan. *DNS Catalog Zones.* July 2023. + :rfc:`9460` - B. Schwartz, M. Bishop and E. Nygren, *Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records).* November 2023. @@ -332,6 +338,8 @@ Locally-Served DNS Zones Registry.* May 2016. :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS Servers: Failure to Communicate.* September 2020. +:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022. + For Your Information -------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index cb2f5126af..48dbce13b7 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2147,7 +2147,7 @@ Boolean Options :short: Controls whether BIND 9 responds to root key sentinel probes. If ``yes``, respond to root key sentinel probes as described in - `draft-ietf-dnsop-kskroll-sentinel-08 `_. The default is ``yes``. + :rfc:`8509`:. The default is ``yes``. .. namedconf:statement:: reuseport :tags: server @@ -6586,7 +6586,7 @@ The following options can be specified in a :any:`dnssec-policy` statement: Do not use extra :term:`iterations `, :term:`salt `, and :term:`opt-out ` unless their implications are fully understood. A higher number of iterations causes interoperability problems and opens - servers to CPU-exhausting DoS attacks. + servers to CPU-exhausting DoS attacks. See :rfc:`9276`. .. namedconf:statement:: zone-propagation-delay :tags: dnssec, zone diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst index 90b919aaf4..314559d1c3 100644 --- a/doc/dnssec-guide/advanced-discussions.rst +++ b/doc/dnssec-guide/advanced-discussions.rst @@ -271,7 +271,7 @@ NSEC3PARAM .. warning:: Before we dive into the details of NSEC3 parametrization, please note: the defaults should not be changed without a strong justification and a full - understanding of the potential impact. + understanding of the potential impact. See :rfc:`9276`. The above NSEC3 examples used four parameters: 1, 0, 0, and zero-length salt. 1 represents the algorithm, 0 represents the opt-out @@ -315,7 +315,7 @@ NSEC3 Opt-Out +++++++++++++ First things first: For most DNS administrators who do not manage a huge number -of insecure delegations, the NSEC3 opt-out featuere is not relevant. +of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`. Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3 record. In other words, use of the opt-out allows large registries to only sign as @@ -370,9 +370,7 @@ NSEC3 Salt The properties of this extra salt are complicated and beyond scope of this document. For detailed description why the salt in the context of DNSSEC -provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version -10 section 2.4 -`__. +provides little value please see :rfc:`9276`. .. _advanced_discussions_nsec_or_nsec3: