Draft https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/ describes the use of TLS to encrypt zones transfers in order to provide confidentiality, know as XFR-over-TLS (XoT). The draft has been adopted by the DPRIVE WG.
The feature request is for BIND to support XFR-over-TLS as described in the above draft. This will obviously be dependent on DoT (RFC7858) being implemented in BIND. The specific aspects of the XoT implementation that are desired are:
- Support for both AXFR and IXFR
- Support for XFR-over-TLS both when BIND is acting as a primary and a secondary
- Support for authentication of TLS connections via X.509 certificates (Strict TLS)
- Optimisation of TCP/TLS connections such that persistent connections can be re-used for multiple IXFRs for the same zone, and also IXFRs for different zones.
See RT #16298