diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 0dc3088397..4ebc09e67c 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -947,6 +947,7 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 		break;
 	case DNS_TRANSPORT_TLS:
 		CHECK(isc_tlsctx_createclient(&xfr->tlsctx));
+		isc_tlsctx_enable_dot_client_alpn(xfr->tlsctx);
 		isc_nm_tlsdnsconnect(xfr->netmgr, &xfr->sourceaddr,
 				     &xfr->masteraddr, xfrin_connect_done,
 				     connect_xfr, 30000, 0, xfr->tlsctx);
@@ -1018,6 +1019,10 @@ xfrin_connect_done(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 
 	CHECK(result);
 
+	if (!isc_nm_xfr_allowed(handle)) {
+		goto failure;
+	}
+
 	zmgr = dns_zone_getmgr(xfr->zone);
 	if (zmgr != NULL) {
 		if (result != ISC_R_SUCCESS) {