RFC9103: DNS Zone Transfer over TLS (XoT)
Description
The RFC9103 describes the use of TLS to encrypt zones transfers in order to provide confidentiality, known as XFR-over-TLS (XoT). The standard has been adopted by the DPRIVE WG.
Feature Request
The feature request is for BIND to support XFR-over-TLS as described in the above RFC. This will obviously be dependent on DoT (RFC7858) being implemented in BIND. The specific aspects of the XoT implementation that are desired are:
-
* Support for both AXFR and IXFR -
* XoT requires dotALPN token to be negotiated (See: #2794 (closed)) -
* XoT requires TLSv1.3 or higher (See: #2795 (closed), and related #2796 (closed))
-
-
* Support for XFR-over-TLS both when BIND is acting as a primary and a secondary -
* XFR-over-TLS (XoT): Primaries need to be able to restrict XFR to just TLS (#2776 (closed)) -
* Related: Replace tcp-onlywith a more generic option (#2992)
-
-
* Support for authentication of TLS connections via X.509 certificates (Strict TLS and Mutual TLS) - Related MR: !5600 (merged)
-
* A TLS contexts cache needs to be implemented for contexts reuse and fast retrieval of the data associated with contexts (like CA intermediates chain): #3067 (closed), !5672 (merged) -
* Add remote TLS certificate verification support, implement Strict and Mutual TLS authentication (#3163 (closed))
-
* Optimisation of TCP/TLS connections such that persistent connections can be re-used for multiple IXFRs for the same zone, and also IXFRs for different zones. -
Client TLS session resumption support: !6274 (merged)
Related issues/bugs
-
* #2450 - Follow-up from "Draft: Resolve "XoT xfrin"" - See !5602 (merged) which addresses the most important points from the issue
-
* #2884 (closed) - Sometimes dig aborts on an AXFR query over TLS -
* #2986 (closed) - TLS not working on the client-side (dig/named) -
* #3004 (closed) - dig and named crash when receiving XFR over TLS
See RT #16298