From 79d8af735495e29477f16dda590b37e37f0c85dc Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Mon, 30 Aug 2021 17:13:00 +0300
Subject: [PATCH] Require "dot" ALPN token for incoming xfrs over XoT

This commit make the code handling incoming zone transfers to verify
if they are allowed to be done over the underlying connections. As a
result the check ensures that the "dot" ALPN token has been negotiated
over the underlying connection.
---
 lib/dns/xfrin.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 0dc3088397..4ebc09e67c 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -947,6 +947,7 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 		break;
 	case DNS_TRANSPORT_TLS:
 		CHECK(isc_tlsctx_createclient(&xfr->tlsctx));
+		isc_tlsctx_enable_dot_client_alpn(xfr->tlsctx);
 		isc_nm_tlsdnsconnect(xfr->netmgr, &xfr->sourceaddr,
 				     &xfr->masteraddr, xfrin_connect_done,
 				     connect_xfr, 30000, 0, xfr->tlsctx);
@@ -1018,6 +1019,10 @@ xfrin_connect_done(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 
 	CHECK(result);
 
+	if (!isc_nm_xfr_allowed(handle)) {
+		goto failure;
+	}
+
 	zmgr = dns_zone_getmgr(xfr->zone);
 	if (zmgr != NULL) {
 		if (result != ISC_R_SUCCESS) {