Make sure all RFC references in the ARM use the stock :rfc: Sphinx role.
[17] Wildcard records are not supported in DNSSEC secure zones.
[18] Servers authoritative for secure zones being resolved by BIND
-9 must support EDNS0 (RFC2671), and must return all relevant SIGs
+9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs
and NXTs in responses, rather than relying on the resolving server
to perform separate queries for missing SIGs and NXTs.
sign the zone are "stand-by" keys.
Any validating resolver which is configured to use the active KSK as an
-RFC 5011-managed trust anchor takes note of the stand-by KSKs in the
+:rfc:`5011`-managed trust anchor takes note of the stand-by KSKs in the
zone's DNSKEY RRset, and stores them for future reference. The resolver
rechecks the zone periodically; after 30 days, if the new key is
still there, the key is accepted by the resolver as a valid
is made. For convenience, TTL-style time-unit suffixes may be used to
specify the value. It also accepts ISO 8601 duration formats.
- The default ``stale-refresh-time`` is 30 seconds, as RFC 8767 recommends
+ The default ``stale-refresh-time`` is 30 seconds, as :rfc:`8767` recommends
that attempts to refresh to be done no more frequently than every 30
seconds. A value of zero disables the feature, meaning that normal
resolution will take place first, if that fails only then ``named`` will
projects / thirdparty / bind9.git / commitdiff
