DNS Zone Transfer-over-TLS
draft-ietf-dprive-xfr-over-tls-09

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, dns-privacy@ietf.org, dprive-chairs@ietf.org, draft-ietf-dprive-xfr-over-tls@ietf.org, evyncke@cisco.com, rfc-editor@rfc-editor.org, tjw.ietf@gmail.com
Subject: Protocol Action: 'DNS Zone Transfer-over-TLS' to Proposed Standard (draft-ietf-dprive-xfr-over-tls-09.txt)

The IESG has approved the following document:
- 'DNS Zone Transfer-over-TLS'
  (draft-ietf-dprive-xfr-over-tls-09.txt) as Proposed Standard

This document is the product of the DNS PRIVate Exchange Working Group.

The IESG contact persons are Erik Kline and Éric Vyncke.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/


Technical Summary

DNS zone transfers are transmitted in clear text, which gives
attackers the opportunity to collect the content of a zone by
eavesdropping on network connections.  The DNS Transaction Signature
(TSIG) mechanism is specified to restrict direct zone transfer to
authorized clients only, but it does not add confidentiality.  This
document specifies the use of TLS, rather than clear text, to prevent
zone content collection via passive monitoring of zone transfers:
XFR-over-TLS (XoT).  Additionally, this specification updates
RFC1995, RFC5936 and RFC7766.

Working Group Summary

There were several discussions during the working group process,
but they were all resolved.

Document Quality

The document was the result of different interpertations of the original
RFC that cause some implementation issues.  Section 14 points out there are
several implementations that interact successfully.

Personnel

Document Shepherd:  Tim Wicinski
Responsible Area Director: Éric Vyncke