RFC9103: DNS Zone Transfer over TLS (XoT)

Description

The RFC9103 describes the use of TLS to encrypt zones transfers in order to provide confidentiality, known as XFR-over-TLS (XoT). The standard has been adopted by the DPRIVE WG.

Feature Request

The feature request is for BIND to support XFR-over-TLS as described in the above RFC. This will obviously be dependent on DoT (RFC7858) being implemented in BIND. The specific aspects of the XoT implementation that are desired are:

• * Support for both AXFR and IXFR
  • * XoT requires dot ALPN token to be negotiated (See: #2794 (closed))
  • * XoT requires TLSv1.3 or higher (See: #2795 (closed), and related #2796 (closed))
• * Support for XFR-over-TLS both when BIND is acting as a primary and a secondary
• * XFR-over-TLS (XoT): Primaries need to be able to restrict XFR to just TLS (#2776 (closed))
  • * Related: Replace tcp-only with a more generic option (#2992)
• * Support for authentication of TLS connections via X.509 certificates (Strict TLS and Mutual TLS)
  • Related MR: !5600 (merged)
  • * A TLS contexts cache needs to be implemented for contexts reuse and fast retrieval of the data associated with contexts (like CA intermediates chain): #3067 (closed), !5672 (merged)
  • * Add remote TLS certificate verification support, implement Strict and Mutual TLS authentication (#3163 (closed))
• * Optimisation of TCP/TLS connections such that persistent connections can be re-used for multiple IXFRs for the same zone, and also IXFRs for different zones.
• Client TLS session resumption support: !6274 (merged)

Related issues/bugs

• * #2450 - Follow-up from "Draft: Resolve "XoT xfrin""
  • See !5602 (merged) which addresses the most important points from the issue
• * #2884 (closed) - Sometimes dig aborts on an AXFR query over TLS
• * #2986 (closed) - TLS not working on the client-side (dig/named)
• * #3004 (closed) - dig and named crash when receiving XFR over TLS

See RT #16298