From 7817a483a47aba15871eaaf8e39097307f7a4be4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Tue, 7 May 2024 13:10:07 +0200
Subject: [PATCH 1/4] Update DNSSEC Operational Practices references to Version
 2

RFC 4641 was obsoleted by 6781.

(cherry picked from commit c5d6769e11cfbce258017f13a8164005644747ff)
---
 bin/dnssec/dnssec-signzone.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 668d7f3d85..98d281c1f5 100644
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -260,7 +260,7 @@ Options
    with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces
    :program:`dnssec-signzone` to remove signatures from keys that are no longer
    active. This enables ZSK rollover using the procedure described in
-   :rfc:`4641#4.2.1.1` ("Pre-Publish Key Rollover").
+   :rfc:`6781#4.1.1.1` ("Pre-Publish Key Rollover").
 
 .. option:: -q
 
@@ -277,7 +277,7 @@ Options
    This option is similar to :option:`-Q`, except it forces
    :program:`dnssec-signzone` to remove signatures from keys that are no longer
    published. This enables ZSK rollover using the procedure described in
-   :rfc:`4641#4.2.1.2` ("Double Signature Zone Signing Key
+   :rfc:`6781#4.1.1.2` ("Double Signature Zone Signing Key
    Rollover").
 
 .. option:: -S
@@ -433,4 +433,4 @@ See Also
 ~~~~~~~~
 
 :iscman:`dnssec-keygen(8) <dnssec-keygen>`, BIND 9 Administrator Reference Manual, :rfc:`4033`,
-:rfc:`4641`.
+:rfc:`6781`.

From f148d39a9b367757f0f1af016327b38d9b23c6fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Tue, 7 May 2024 13:11:03 +0200
Subject: [PATCH 2/4] Mention RFC 9276 Guidance for NSEC3 Parameter Settings

Draft was eventually published as RFC 9276 but we did not update our
docs. Also add couple mentions in relevant places in the ARM and
dnssec-signzone man page, mainly around "do not touch" places.

(cherry picked from commit 8e4c0329c3a61239e023926a73591029168ea7a3)
---
 bin/dnssec/dnssec-signzone.rst            | 3 +++
 doc/arm/general.rst                       | 2 ++
 doc/arm/reference.rst                     | 2 +-
 doc/dnssec-guide/advanced-discussions.rst | 8 +++-----
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 98d281c1f5..dcc06fe2be 100644
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -364,6 +364,7 @@ Options
 
    .. note::
       ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits.
+      See :rfc:`9276`.
 
 .. option:: -H iterations
 
@@ -372,6 +373,7 @@ Options
 
    .. warning::
       Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks.
+      See :rfc:`9276`.
 
 .. option:: -A
 
@@ -380,6 +382,7 @@ Options
 
    .. warning::
       Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations.
+      See :rfc:`9276`.
 
 .. option:: -AA
 
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 23b35ffd8a..9fba98b36d 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -332,6 +332,8 @@ Locally-Served DNS Zones Registry.* May 2016.
 :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
 Servers: Failure to Communicate.* September 2020.
 
+:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022.
+
 For Your Information
 --------------------
 
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index cb2f5126af..50a490e6d3 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6586,7 +6586,7 @@ The following options can be specified in a :any:`dnssec-policy` statement:
        Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
        :term:`opt-out <Opt-out>` unless their implications are fully understood.
        A higher number of iterations causes interoperability problems and opens
-       servers to CPU-exhausting DoS attacks.
+       servers to CPU-exhausting DoS attacks. See :rfc:`9276`.
 
 .. namedconf:statement:: zone-propagation-delay
    :tags: dnssec, zone
diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst
index 90b919aaf4..314559d1c3 100644
--- a/doc/dnssec-guide/advanced-discussions.rst
+++ b/doc/dnssec-guide/advanced-discussions.rst
@@ -271,7 +271,7 @@ NSEC3PARAM
 .. warning::
    Before we dive into the details of NSEC3 parametrization, please note:
    the defaults should not be changed without a strong justification and a full
-   understanding of the potential impact.
+   understanding of the potential impact. See :rfc:`9276`.
 
 The above NSEC3 examples used four parameters: 1, 0, 0, and
 zero-length salt. 1 represents the algorithm, 0 represents the opt-out
@@ -315,7 +315,7 @@ NSEC3 Opt-Out
 +++++++++++++
 
 First things first: For most DNS administrators who do not manage a huge number
-of insecure delegations, the NSEC3 opt-out featuere is not relevant.
+of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`.
 
 Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3
 record. In other words, use of the opt-out allows large registries to only sign as
@@ -370,9 +370,7 @@ NSEC3 Salt
 
 The properties of this extra salt are complicated and beyond scope of this
 document. For detailed description why the salt in the context of DNSSEC
-provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version
-10 section 2.4
-<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-2.4>`__.
+provides little value please see :rfc:`9276`.
 
 .. _advanced_discussions_nsec_or_nsec3:
 

From 9291689720b15d334a56dc7ee29d5ebfc6dab0fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Tue, 7 May 2024 13:24:43 +0200
Subject: [PATCH 3/4] Update KSK root sentinel references

The mechanism was published as RFC 8509. I've briefly looked at diff
between versions -08 and the RFC and did not find significant protocol
change. Quick manual check confirms what we seem to comply with the
published protocol.

(cherry picked from commit 153311da2d97f1febd7e952842fd7e4cf8f9b673)
---
 doc/arm/general.rst   | 3 +++
 doc/arm/reference.rst | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 9fba98b36d..0f364dc9b0 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -285,6 +285,9 @@ Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_
 :rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).*
 October 2018. [#noencryptedfwd]_
 
+:rfc:`8509` - G. Huston, J. Damas, W. Kumari. *A Root Key Trust Anchor Sentinel
+for DNSSEC.* December 2018.
+
 :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
 and Usage Guidance for DNSSEC.* June 2019.
 
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 50a490e6d3..48dbce13b7 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2147,7 +2147,7 @@ Boolean Options
    :short: Controls whether BIND 9 responds to root key sentinel probes.
 
    If ``yes``, respond to root key sentinel probes as described in
-   `draft-ietf-dnsop-kskroll-sentinel-08 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-kskroll-sentinel-08>`_. The default is ``yes``.
+   :rfc:`8509`:. The default is ``yes``.
 
 .. namedconf:statement:: reuseport
    :tags: server

From 834621f53f9cb483e9b0c98e7628c144867880e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Tue, 7 May 2024 13:34:51 +0200
Subject: [PATCH 4/4] Update reference for Catalog Zones spec to RFC9432

(cherry picked from commit ead4a110ad05faa806841af53c2ea8dc36e5e9c9)
---
 doc/arm/catz.inc.rst | 5 +----
 doc/arm/general.rst  | 3 +++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/arm/catz.inc.rst b/doc/arm/catz.inc.rst
index fec0759c3a..c22a6ff078 100644
--- a/doc/arm/catz.inc.rst
+++ b/doc/arm/catz.inc.rst
@@ -25,10 +25,7 @@ changes are immediately put into effect. Because the catalog zone is a
 normal DNS zone, these configuration changes can be propagated using the
 standard AXFR/IXFR zone transfer mechanism.
 
-Catalog zones' format and behavior are specified as an Internet draft
-for interoperability among DNS implementations. The
-latest revision of the DNS catalog zones draft can be found here:
-https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/ .
+Catalog zones' format and behavior are specified as :rfc:`9432`.
 
 Principle of Operation
 ~~~~~~~~~~~~~~~~~~~~~~
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 0f364dc9b0..09bcaa9725 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -306,6 +306,9 @@ November 2020.
 :rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin.
 *DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_
 
+:rfc:`9432` - P. van Dijk, L. Peltan, O. Sury, W. Toorop, C.R. Monshouwer,
+P. Thomassen, A. Sargsyan. *DNS Catalog Zones.* July 2023.
+
 :rfc:`9460` - B. Schwartz, M. Bishop and E. Nygren, *Service Binding and
 Parameter Specification via the DNS (SVCB and HTTPS Resource Records).*
 November 2023.