{"draft":"draft-ietf-dprive-xfr-over-tls-12","doc_id":"RFC9103","title":"DNS Zone Transfer over TLS","authors":["W. Toorop","S. Dickinson","S. Sahib","P. Aras","A. Mankin"],"format":["HTML","TEXT","PDF","XML"],"page_count":"32","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"DNS PRIVate Exchange","abstract":"DNS zone transfers are transmitted in cleartext, which gives\r\nattackers the opportunity to collect the content of a zone by\r\neavesdropping on network connections. The DNS Transaction Signature\r\n(TSIG) mechanism is specified to restrict direct zone transfer to\r\nauthorized clients only, but it does not add confidentiality. This\r\ndocument specifies the use of TLS, rather than cleartext, to prevent\r\nzone content collection via passive monitoring of zone transfers: XFR\r\nover TLS (XoT). Additionally, this specification updates RFC 1995 and\r\nRFC 5936 with respect to efficient use of TCP connections and RFC\r\n7766 with respect to the recommended number of connections between a\r\nclient and server for each transport.","pub_date":"August 2021","keywords":["DNS","operations","privacy"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC1995","RFC5936","RFC7766"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9103","errata_url":null}