Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 603
    • Issues 603
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 87
    • Merge requests 87
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #1784
Closed
Open
Issue created Apr 22, 2020 by Peter Davies@peterdDeveloper13 of 15 checklist items completed13/15 checklist items

RFC9103: DNS Zone Transfer over TLS (XoT)

Description

The RFC9103 describes the use of TLS to encrypt zones transfers in order to provide confidentiality, known as XFR-over-TLS (XoT). The standard has been adopted by the DPRIVE WG.

Feature Request

The feature request is for BIND to support XFR-over-TLS as described in the above RFC. This will obviously be dependent on DoT (RFC7858) being implemented in BIND. The specific aspects of the XoT implementation that are desired are:

  • * Support for both AXFR and IXFR
    • * XoT requires dot ALPN token to be negotiated (See: #2794 (closed))
    • * XoT requires TLSv1.3 or higher (See: #2795 (closed), and related #2796 (closed))
  • * Support for XFR-over-TLS both when BIND is acting as a primary and a secondary
  • * XFR-over-TLS (XoT): Primaries need to be able to restrict XFR to just TLS (#2776 (closed))
    • * Related: Replace tcp-only with a more generic option (#2992)
  • * Support for authentication of TLS connections via X.509 certificates (Strict TLS and Mutual TLS)
    • Related MR: !5600 (merged)
    • * A TLS contexts cache needs to be implemented for contexts reuse and fast retrieval of the data associated with contexts (like CA intermediates chain): #3067 (closed), !5672 (merged)
    • * Add remote TLS certificate verification support, implement Strict and Mutual TLS authentication (#3163 (closed))
  • * Optimisation of TCP/TLS connections such that persistent connections can be re-used for multiple IXFRs for the same zone, and also IXFRs for different zones.
  • Client TLS session resumption support: !6274 (merged)

Related issues/bugs

  • * #2450 - Follow-up from "Draft: Resolve "XoT xfrin""
    • See !5602 (merged) which addresses the most important points from the issue
  • * #2884 (closed) - Sometimes dig aborts on an AXFR query over TLS
  • * #2986 (closed) - TLS not working on the client-side (dig/named)
  • * #3004 (closed) - dig and named crash when receiving XFR over TLS

See RT #16298

Edited Aug 01, 2022 by Artem Boldariev
Assignee
Assign to
Time tracking