XFR-over-TLS (XoT): Primaries need to be able to restrict XFR to just TLS

As part of implementing #1784 (closed)

Unless I’m missing something I cannot see a way to configure a primary to allow xfr for a zone ONLY over TLS. I can add a listen-on address with tls, and I can restrict transfers by TSIG and ACL. However the current ACLs don’t allow a transport to be specified (or a port), so the primary will still provide XFR over TCP. I discussed a allow-transer-tls option or similar with Witold very early on but it looks like the existing option has been extended, in which case I think an extension of the ACL directive to include a transport/port is needed? The specification requires that the primary can limit XFR to just TLS to avoid leaking in case the secondary is misconfigured.

This needs some discussion before deciding on a solution