Mention RFC 9276 Guidance for NSEC3 Parameter Settings

Draft was eventually published as RFC 9276 but we did not update our
docs. Also add couple mentions in relevant places in the ARM and
dnssec-signzone man page, mainly around "do not touch" places.

diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 21a9152f854ef2f7331254aa5305b3104d3d8e94..5c2f1d6b450f9fdaafed96efb6791645b33faa71 100644 (file)
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -374,6 +374,7 @@ Options
 
    .. note::
       ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits.
+      See :rfc:`9276`.
 
 .. option:: -H iterations
 
@@ -382,6 +383,7 @@ Options
 
    .. warning::
       Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks.
+      See :rfc:`9276`.
 
 .. option:: -A
 
@@ -390,6 +392,7 @@ Options
 
    .. warning::
       Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations.
+      See :rfc:`9276`.
 
 .. option:: -AA
 

diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 23b35ffd8a0be840b9b98c86144ad4c54ef15751..9fba98b36df7fea9e7d50d6d4866ab2ec42b4732 100644 (file)
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -332,6 +332,8 @@ Locally-Served DNS Zones Registry.* May 2016.
 :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
 Servers: Failure to Communicate.* September 2020.
 
+:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022.
+
 For Your Information
 --------------------
 

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index aab79e9064544a752bbdccf7d4951c2ad0a91562..5253ee1a861aa711f1a54d259cbc82d348924e40 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6555,7 +6555,7 @@ The following options can be specified in a :any:`dnssec-policy` statement:
        Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
        :term:`opt-out <Opt-out>` unless their implications are fully understood.
        A higher number of iterations causes interoperability problems and opens
-       servers to CPU-exhausting DoS attacks.
+       servers to CPU-exhausting DoS attacks. See :rfc:`9276`.
 
 .. namedconf:statement:: zone-propagation-delay
    :tags: dnssec, zone

diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst
index 97438b8354d0e825e74ff0acd22fd14bee842faa..984435e5f46bcf20451de8db3431b7c5da6244b3 100644 (file)
--- a/doc/dnssec-guide/advanced-discussions.rst
+++ b/doc/dnssec-guide/advanced-discussions.rst
@@ -271,7 +271,7 @@ NSEC3PARAM
 .. warning::
    Before we dive into the details of NSEC3 parametrization, please note:
    the defaults should not be changed without a strong justification and a full
-   understanding of the potential impact.
+   understanding of the potential impact. See :rfc:`9276`.
 
 The above NSEC3 examples used four parameters: 1, 0, 0, and
 zero-length salt. 1 represents the algorithm, 0 represents the opt-out
@@ -315,7 +315,7 @@ NSEC3 Opt-Out
 +++++++++++++
 
 First things first: For most DNS administrators who do not manage a huge number
-of insecure delegations, the NSEC3 opt-out featuere is not relevant.
+of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`.
 
 Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3
 record. In other words, use of the opt-out allows large registries to only sign as
@@ -370,9 +370,7 @@ NSEC3 Salt
 
 The properties of this extra salt are complicated and beyond scope of this
 document. For detailed description why the salt in the context of DNSSEC
-provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version
-10 section 2.4
-<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-2.4>`__.
+provides little value please see :rfc:`9276`.
 
 .. _advanced_discussions_nsec_or_nsec3: