This talk prepares the ground for planning and deploying DNS Zone Transfers-over-TLS (XoT). The specification is submitted to IESG for publication as a Proposed Standard. BIND stack has shipped it in product, and managed DNS vendors are planning product offerings.
Why XoT? DNS zones today often contain data that the zone owner has good reason to want to keep private. For example, the contents of the zone could include sensitive corporate information or names of persons used in names of hosts. There may also be regulatory, policy or other reasons why the zone contents in full must be treated as private.
Currently, DNS zone transfers (both full zone transfer i.e. AXFR [RFC 1035] and incremental zone transfer i.e. IXFR [RFC 1995]) occur in clear text, which gives an eavesdropper the opportunity to collect the contents of a zone by passively surveilling the network connection.
DNS zone transfers-over-TLS (XoT) specifies the use of TLS to prevent zone content collection via passive monitoring. The XoT Internet Draft has passed Working Group Last Call by the DPRIVE (DNS Privacy) Working Group at the Internet Engineering Task Force (IETF). BIND 9.17 includes support for XoT for incoming and outgoing zone transfers, and there are open Pull Requests for NSD that add support. This talk will discuss various aspects of this evolution of zone transfers including:
- Current state of development and adoption of XoT
- New operational models for authentication that could be used with XoT (including the basic recommendations, how to use transfer group policies, and when you might use mTLS)
- The benefits of connection re-use for multiple transfers involving same and different zones,
- Real-world deployment challenges and potential solutions.