draft-ietf-dprive-xfr-over-tls-10.txt   draft-ietf-dprive-xfr-over-tls-11.txt 
skipping to change at page 1, line 14 skipping to change at page 1, line 14
Internet-Draft NLnet Labs Internet-Draft NLnet Labs
Updates: 1995, 5936, 7766 (if approved) S. Dickinson Updates: 1995, 5936, 7766 (if approved) S. Dickinson
Intended status: Standards Track Sinodun IT Intended status: Standards Track Sinodun IT
Expires: October 22, 2021 S. Sahib Expires: October 22, 2021 S. Sahib
P. Aras P. Aras
A. Mankin A. Mankin
Salesforce Salesforce
April 20, 2021 April 20, 2021
DNS Zone Transfer-over-TLS DNS Zone Transfer-over-TLS
draft-ietf-dprive-xfr-over-tls-10 draft-ietf-dprive-xfr-over-tls-11
Abstract Abstract
DNS zone transfers are transmitted in clear text, which gives DNS zone transfers are transmitted in clear text, which gives
attackers the opportunity to collect the content of a zone by attackers the opportunity to collect the content of a zone by
eavesdropping on network connections. The DNS Transaction Signature eavesdropping on network connections. The DNS Transaction Signature
(TSIG) mechanism is specified to restrict direct zone transfer to (TSIG) mechanism is specified to restrict direct zone transfer to
authorized clients only, but it does not add confidentiality. This authorized clients only, but it does not add confidentiality. This
document specifies the use of TLS, rather than clear text, to prevent document specifies the use of TLS, rather than clear text, to prevent
zone content collection via passive monitoring of zone transfers: zone content collection via passive monitoring of zone transfers:
skipping to change at page 6, line 10 skipping to change at page 6, line 10
DNS terminology is as described in [RFC8499]. Note that as in DNS terminology is as described in [RFC8499]. Note that as in
[RFC8499], the terms 'primary' and 'secondary' are used for two [RFC8499], the terms 'primary' and 'secondary' are used for two
servers engaged in zone transfers. servers engaged in zone transfers.
DoT: DNS-over-TLS as specified in [RFC7858] DoT: DNS-over-TLS as specified in [RFC7858]
XFR-over-TCP: Used to mean both IXFR-over-TCP [RFC1995] and AXFR- XFR-over-TCP: Used to mean both IXFR-over-TCP [RFC1995] and AXFR-
over-TCP [RFC5936]. over-TCP [RFC5936].
XoT: Generic XFR-over-TLS mechanisms as specified in this document XoT: XFR-over-TLS mechanisms as specified in this document which
apply to both AXFR-over-TLS and IXFR-over-TLS
AXoT: AXFR-over-TLS AXoT: AXFR-over-TLS
IXoT: IXFR over-TLS IXoT: IXFR over-TLS
4. Threat Model 4. Threat Model
The threat model considered here is one where the current contents The threat model considered here is one where the current contents
and size of the zone are considered sensitive and should be protected and size of the zone are considered sensitive and should be protected
during transfer. during transfer.
 End of changes. 2 change blocks. 
2 lines changed or deleted 3 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/