XFR-over-TLS (XoT): Primaries need to be able to restrict XFR to just TLS
As part of implementing #1784
Unless I’m missing something I cannot see a way to configure a primary to allow xfr for a zone ONLY over TLS. I can add a
listen-on address with
tls, and I can restrict transfers by TSIG and ACL. However the current ACLs don’t allow a transport to be specified (or a port), so the primary will still provide XFR over TCP. I discussed a
allow-transer-tls option or similar with Witold very early on but it looks like the existing option has been extended, in which case I think an extension of the ACL directive to include a transport/port is needed? The specification requires that the primary can limit XFR to just TLS to avoid leaking in case the secondary is misconfigured.
This needs some discussion before deciding on a solution