diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 3f478040fe..a15fb30b62 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -581,7 +581,7 @@ is accepted but not returned in responses.
 [17] Wildcard records are not supported in DNSSEC secure zones.
 
 [18] Servers authoritative for secure zones being resolved by BIND
-9 must support EDNS0 (RFC2671), and must return all relevant SIGs
+9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs
 and NXTs in responses, rather than relying on the resolving server
 to perform separate queries for missing SIGs and NXTs.
 
diff --git a/doc/arm/managed-keys.rst b/doc/arm/managed-keys.rst
index ac6424c689..fa771bebb1 100644
--- a/doc/arm/managed-keys.rst
+++ b/doc/arm/managed-keys.rst
@@ -35,7 +35,7 @@ zone with one of them; this is the "active" KSK. All KSKs which do not
 sign the zone are "stand-by" keys.
 
 Any validating resolver which is configured to use the active KSK as an
-RFC 5011-managed trust anchor takes note of the stand-by KSKs in the
+:rfc:`5011`-managed trust anchor takes note of the stand-by KSKs in the
 zone's DNSKEY RRset, and stores them for future reference. The resolver
 rechecks the zone periodically; after 30 days, if the new key is
 still there, the key is accepted by the resolver as a valid
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index e3eb4b0ae5..7035bebd78 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1882,7 +1882,7 @@ Boolean Options
    is made. For convenience, TTL-style time-unit suffixes may be used to
    specify the value. It also accepts ISO 8601 duration formats.
 
-   The default ``stale-refresh-time`` is 30 seconds, as RFC 8767 recommends
+   The default ``stale-refresh-time`` is 30 seconds, as :rfc:`8767` recommends
    that attempts to refresh to be done no more frequently than every 30
    seconds. A value of zero disables the feature, meaning that normal
    resolution will take place first, if that fails only then ``named`` will