UNLIMITED FREE
ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

IETF - RFC 9103

DNS Zone Transfer over TLS

active, Most Current
Organization: IETF
Publication Date: 1 August 2021
Status: active
Page Count: 32
scope:

Abstract

DNS zone transfers are transmitted in cleartext, which gives attackers the opportunity to collect the content of a zone by eavesdropping on network connections. The DNS Transaction Signature (TSIG) mechanism is specified to restrict direct zone transfer to authorized clients only, but it does not add confidentiality. This document specifies the use of TLS, rather than cleartext, to prevent zone content collection via passive monitoring of zone transfers: XFR over TLS (XoT). Additionally, this specification updates RFC 1995 and RFC 5936 with respect to efficient use of TCP connections and RFC 7766 with respect to the recommended number of connections between a client and server for each transport.

Document History

RFC 9103
August 1, 2021
DNS Zone Transfer over TLS
Abstract DNS zone transfers are transmitted in cleartext, which gives attackers the opportunity to collect the content of a zone by eavesdropping on network connections. The DNS Transaction...

References

This document references:
RFC 1034 - Domain Names - Concepts and Facilities
Published by IETF on November 1, 1987
A description is not available for this item.
This document references:
RFC 1035 - Domain Names - Implementation and Specification
Published by IETF on November 1, 1987
A description is not available for this item.
This document references:
IETF RFC 1982 - Serial Number Arithmetic
Published by IETF on August 1, 1996
This memo defines serial number arithmetic, as used in the Domain Name System. The DNS has long relied upon serial number arithmetic, a concept which has never really been defined, certainly not in...
This document references:
IETF RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
Published by IETF on August 1, 1996
A description is not available for this item.
This document is referenced by:
RFC 9250 - DNS over Dedicated QUIC Connections
Published by IETF on May 1, 2022
Abstract This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport...
This document is referenced by:
RFC 9432 - DNS Catalog Zones
Published by IETF on July 1, 2023
This document describes a method for automatic DNS zone provisioning among DNS primary and secondary name servers by storing and transferring the catalog of zones to be provisioned as one or more...
This document supersedes:
IETF RFC 1995 - Incremental Zone Transfer in DNS
Published by IETF on August 1, 1996
This document proposes extensions to the DNS protocols to provide an incremental zone transfer (IXFR) mechanism.
This document supersedes:
IETF RFC 1995 - Incremental Zone Transfer in DNS
Published by IETF on August 1, 1996
This document proposes extensions to the DNS protocols to provide an incremental zone transfer (IXFR) mechanism.
View Less
View All
Advertisement