Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 620
    • Issues 620
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 111
    • Merge requests 111
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2776

XFR-over-TLS (XoT): Primaries need to be able to restrict XFR to just TLS

As part of implementing #1784 (closed)

Unless I’m missing something I cannot see a way to configure a primary to allow xfr for a zone ONLY over TLS. I can add a listen-on address with tls, and I can restrict transfers by TSIG and ACL. However the current ACLs don’t allow a transport to be specified (or a port), so the primary will still provide XFR over TCP. I discussed a allow-transer-tls option or similar with Witold very early on but it looks like the existing option has been extended, in which case I think an extension of the ACL directive to include a transport/port is needed? The specification requires that the primary can limit XFR to just TLS to avoid leaking in case the secondary is misconfigured.

This needs some discussion before deciding on a solution

Assignee
Assign to
Time tracking