Technical Summary
DNS zone transfers are transmitted in clear text, which gives
attackers the opportunity to collect the content of a zone by
eavesdropping on network connections. The DNS Transaction Signature
(TSIG) mechanism is specified to restrict direct zone transfer to
authorized clients only, but it does not add confidentiality. This
document specifies the use of TLS, rather than clear text, to prevent
zone content collection via passive monitoring of zone transfers:
XFR-over-TLS (XoT). Additionally, this specification updates
RFC1995, RFC5936 and RFC7766.
Working Group Summary
There were several discussions during the working group process,
but they were all resolved. The IETF Last Call generated only one review (GEN-ART), which has been addressed.
Document Quality
The document was the result of different interpertations of the original
RFC that cause some implementation issues. Section 14 points out there are
several implementations that interact successfully.
Personnel
Document Shepherd: Tim Wicinski
Responsible Area Director: Éric Vyncke