change allow-transfer default to "none"

Changed the default value for 'allow-transfer' to 'none'; zone transfers now require explicit authorization. Updated all system tests to specify an allow-transfer ACL when needed. Revised the ARM to specify that the default is 'none'.
2025-08-31 14:35:26 +00:00 · 2024-05-16 15:23:22 -07:00
parent 74cbaf46c9
commit c3d3d12911
75 changed files with 80 additions and 4 deletions
--- a/bin/tests/system/addzone/ns1/named.conf.in
+++ b/bin/tests/system/addzone/ns1/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	allow-query { any; };
 	allow-new-zones yes;
 	recursion no;
--- a/bin/tests/system/addzone/ns3/named1.conf.in
+++ b/bin/tests/system/addzone/ns3/named1.conf.in
@@ -23,6 +23,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-query { any; };
+	allow-transfer { any; };
 	recursion no;
 	allow-new-zones yes;
 	dnssec-validation no;
--- a/bin/tests/system/addzone/ns3/named2.conf.in
+++ b/bin/tests/system/addzone/ns3/named2.conf.in
@@ -23,6 +23,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-query { any; };
+	allow-transfer { any; };
 	recursion no;
 	allow-new-zones yes;
 	dnssec-validation no;
--- a/bin/tests/system/auth/ns1/named.conf.in
+++ b/bin/tests/system/auth/ns1/named.conf.in
@@ -25,6 +25,8 @@ options {
 };

 view main in {
+	allow-transfer { any; };
+
 	zone example.net {
 		type primary;
 		file "example.net.db";
--- a/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -24,6 +24,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/cacheclean/ns1/named.conf.in
+++ b/bin/tests/system/cacheclean/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/case/ns1/named.conf.in
+++ b/bin/tests/system/case/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	ixfr-from-differences yes;
--- a/bin/tests/system/case/ns2/named.conf.in
+++ b/bin/tests/system/case/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	ixfr-from-differences yes;
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/catz/ns3/named.conf.in
+++ b/bin/tests/system/catz/ns3/named.conf.in
@@ -27,6 +27,7 @@ options {
 	provide-ixfr no;
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/catz/ns4/named.conf.in
+++ b/bin/tests/system/catz/ns4/named.conf.in
@@ -26,6 +26,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/checknames/ns4/named.conf.in
+++ b/bin/tests/system/checknames/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation yes;
 	check-names primary ignore;
--- a/bin/tests/system/checknames/ns5/named.conf.in
+++ b/bin/tests/system/checknames/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation yes;
 	check-names master ignore;
--- a/bin/tests/system/dialup/ns1/named.conf.in
+++ b/bin/tests/system/dialup/ns1/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	heartbeat-interval 1;
 	recursion no;
 	dnssec-validation no;
--- a/bin/tests/system/dialup/ns2/named.conf.in
+++ b/bin/tests/system/dialup/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	heartbeat-interval 1;
 	recursion no;
 	dnssec-validation no;
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/inline/ns1/named.conf.in
+++ b/bin/tests/system/inline/ns1/named.conf.in
@@ -23,6 +23,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/inline/ns2/named.conf.in
+++ b/bin/tests/system/inline/ns2/named.conf.in
@@ -27,6 +27,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	notify-delay 0;
--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion no;
+	allow-transfer { any; };
 	notify yes;
 	try-tcp-refresh no;
 	notify-delay 0;
--- a/bin/tests/system/inline/ns4/named.conf.in
+++ b/bin/tests/system/inline/ns4/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	notify-delay 0;
--- a/bin/tests/system/ixfr/ns1/named.conf.in
+++ b/bin/tests/system/ixfr/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/ixfr/ns4/named.conf.in
+++ b/bin/tests/system/ixfr/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/ixfr/ns5/named.conf.in
+++ b/bin/tests/system/ixfr/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	provide-ixfr no;
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@@ -64,6 +64,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "test";
 	dnssec-validation no;
--- a/bin/tests/system/kasp/ns5/named.conf.in
+++ b/bin/tests/system/kasp/ns5/named.conf.in
@@ -49,6 +49,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "none";
 	dnssec-validation no;
--- a/bin/tests/system/masterfile/ns1/named.conf.in
+++ b/bin/tests/system/masterfile/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/masterfile/ns2/named.conf.in
+++ b/bin/tests/system/masterfile/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/mirror/ns1/named.conf.in
+++ b/bin/tests/system/mirror/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 };
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 };
--- a/bin/tests/system/notify/ns2/named.conf.in
+++ b/bin/tests/system/notify/ns2/named.conf.in
@@ -20,6 +20,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	startup-notify-rate 5;
--- a/bin/tests/system/notify/ns4/named.conf.in
+++ b/bin/tests/system/notify/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -34,6 +34,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/rpz/ns1/named.conf.in
+++ b/bin/tests/system/rpz/ns1/named.conf.in
@@ -20,6 +20,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	dnssec-validation no;
--- a/bin/tests/system/rpz/ns10/named.conf.in
+++ b/bin/tests/system/rpz/ns10/named.conf.in
@@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns2/named.conf.in
+++ b/bin/tests/system/rpz/ns2/named.conf.in
@@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns4/named.conf.in
+++ b/bin/tests/system/rpz/ns4/named.conf.in
@@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns5/named.conf.in
+++ b/bin/tests/system/rpz/ns5/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	ixfr-from-differences yes;
 	notify-delay 0;
 	notify yes;
--- a/bin/tests/system/rpz/ns6/named.conf.in
+++ b/bin/tests/system/rpz/ns6/named.conf.in
@@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	forward only;
 	forwarders { 10.53.0.3; };
 	minimal-responses no;
--- a/bin/tests/system/rpz/ns7/named.conf.in
+++ b/bin/tests/system/rpz/ns7/named.conf.in
@@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	minimal-responses no;
 	recursion yes;
 	dnssec-validation yes;
--- a/bin/tests/system/rpz/ns8/named.conf.in
+++ b/bin/tests/system/rpz/ns8/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns9/named.conf.in
+++ b/bin/tests/system/rpz/ns9/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rrsetorder/ns1/named.conf.in
+++ b/bin/tests/system/rrsetorder/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/serve-stale/ns1/named1.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named1.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 3600;
--- a/bin/tests/system/serve-stale/ns1/named2.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named2.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 3600;
--- a/bin/tests/system/serve-stale/ns1/named3.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named3.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 20;
--- a/bin/tests/system/serve-stale/ns1/named4.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named4.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 20;
--- a/bin/tests/system/timeouts/ns1/named.conf.in
+++ b/bin/tests/system/timeouts/ns1/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	dnssec-validation no;
 	recursion no;
 	notify no;
--- a/bin/tests/system/unknown/ns1/named.conf.in
+++ b/bin/tests/system/unknown/ns1/named.conf.in
@@ -25,6 +25,8 @@ options {
 };

 view "in" {
+	allow-transfer { any; };
+
 	zone "example." {
 		type primary;
 		file "example-in.db";
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -26,6 +26,7 @@ options {
 	listen-on { 10.53.0.1; };
 	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/upforwd/ns2/named.conf.in
+++ b/bin/tests/system/upforwd/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/upforwd/ns3/named1.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -21,6 +21,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/upforwd/ns3/named2.conf.in
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -21,6 +21,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/views/ns2/named1.conf.in
+++ b/bin/tests/system/views/ns2/named1.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/views/ns2/named2.conf.in
+++ b/bin/tests/system/views/ns2/named2.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/views/ns2/named3.conf.in
+++ b/bin/tests/system/views/ns2/named3.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/xfer/ns1/named1.conf.in
+++ b/bin/tests/system/xfer/ns1/named1.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns1/named2.conf.in
+++ b/bin/tests/system/xfer/ns1/named2.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns1/named3.conf.in
+++ b/bin/tests/system/xfer/ns1/named3.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns2/named.conf.in
+++ b/bin/tests/system/xfer/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns3/named.conf.in
+++ b/bin/tests/system/xfer/ns3/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns4/named.conf.base.in
+++ b/bin/tests/system/xfer/ns4/named.conf.base.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns6/named.conf.in
+++ b/bin/tests/system/xfer/ns6/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns7/named.conf.in
+++ b/bin/tests/system/xfer/ns7/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns8/named.conf.in
+++ b/bin/tests/system/xfer/ns8/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -255,7 +255,7 @@ status=$((status + tmp))

 n=$((n + 1))
 echo_i "check that a multi-message uncompressable zone transfers ($n)"
-$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out
+$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out || tmp=1
 if test $(wc -l <axfr.out) != 2; then
  echo_i "failed"
  status=$((status + 1))
--- a/bin/tests/system/xferquota/ns1/named.conf.in
+++ b/bin/tests/system/xferquota/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xferquota/ns2/named.conf.in
+++ b/bin/tests/system/xferquota/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/zero/ns2/named.conf.in
+++ b/bin/tests/system/zero/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-validation no;
+	allow-transfer { any; };
 };

 zone "example" {