From: Petr Špaček Date: Tue, 7 May 2024 11:11:03 +0000 (+0200) Subject: Mention RFC 9276 Guidance for NSEC3 Parameter Settings X-Git-Tag: v9.18.28~33^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f148d39a9b367757f0f1af016327b38d9b23c6fe;p=thirdparty%2Fbind9.git Mention RFC 9276 Guidance for NSEC3 Parameter Settings Draft was eventually published as RFC 9276 but we did not update our docs. Also add couple mentions in relevant places in the ARM and dnssec-signzone man page, mainly around "do not touch" places. (cherry picked from commit 8e4c0329c3a61239e023926a73591029168ea7a3) --- diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 98d281c1f53..dcc06fe2be0 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -364,6 +364,7 @@ Options .. note:: ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits. + See :rfc:`9276`. .. option:: -H iterations @@ -372,6 +373,7 @@ Options .. warning:: Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. + See :rfc:`9276`. .. option:: -A @@ -380,6 +382,7 @@ Options .. warning:: Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations. + See :rfc:`9276`. .. option:: -AA diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 23b35ffd8a0..9fba98b36df 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -332,6 +332,8 @@ Locally-Served DNS Zones Registry.* May 2016. :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS Servers: Failure to Communicate.* September 2020. +:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022. + For Your Information -------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index cb2f5126afa..50a490e6d33 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6586,7 +6586,7 @@ The following options can be specified in a :any:`dnssec-policy` statement: Do not use extra :term:`iterations `, :term:`salt `, and :term:`opt-out ` unless their implications are fully understood. A higher number of iterations causes interoperability problems and opens - servers to CPU-exhausting DoS attacks. + servers to CPU-exhausting DoS attacks. See :rfc:`9276`. .. namedconf:statement:: zone-propagation-delay :tags: dnssec, zone diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst index 90b919aaf4b..314559d1c37 100644 --- a/doc/dnssec-guide/advanced-discussions.rst +++ b/doc/dnssec-guide/advanced-discussions.rst @@ -271,7 +271,7 @@ NSEC3PARAM .. warning:: Before we dive into the details of NSEC3 parametrization, please note: the defaults should not be changed without a strong justification and a full - understanding of the potential impact. + understanding of the potential impact. See :rfc:`9276`. The above NSEC3 examples used four parameters: 1, 0, 0, and zero-length salt. 1 represents the algorithm, 0 represents the opt-out @@ -315,7 +315,7 @@ NSEC3 Opt-Out +++++++++++++ First things first: For most DNS administrators who do not manage a huge number -of insecure delegations, the NSEC3 opt-out featuere is not relevant. +of insecure delegations, the NSEC3 opt-out featuere is not relevant. See :rfc:`9276`. Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3 record. In other words, use of the opt-out allows large registries to only sign as @@ -370,9 +370,7 @@ NSEC3 Salt The properties of this extra salt are complicated and beyond scope of this document. For detailed description why the salt in the context of DNSSEC -provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version -10 section 2.4 -`__. +provides little value please see :rfc:`9276`. .. _advanced_discussions_nsec_or_nsec3: