change allow-transfer default to "none"

Changed the default value for 'allow-transfer' to 'none'; zone transfers now require explicit authorization. Updated all system tests to specify an allow-transfer ACL when needed. Revised the ARM to specify that the default is 'none'.
2025-08-22 18:19:42 +00:00 · 2024-05-16 15:23:22 -07:00 · 2024-05-16 15:23:22 -07:00 · c3d3d12911
commit c3d3d12911
parent 74cbaf46c9
75 changed files with 80 additions and 4 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -207,7 +207,7 @@ options {\n\
 	/* zone */\n\
 	allow-query {any;};\n\
 	allow-query-on {any;};\n\
-	allow-transfer {any;};\n\
+	allow-transfer {none;};\n\
 #	also-notify <none>\n\
 	check-integrity yes;\n\
 	check-mx-cname warn;\n\
--- a/bin/tests/system/addzone/ns1/named.conf.in
+++ b/bin/tests/system/addzone/ns1/named.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	allow-query { any; };
 	allow-new-zones yes;
 	recursion no;
--- a/bin/tests/system/addzone/ns3/named1.conf.in
+++ b/bin/tests/system/addzone/ns3/named1.conf.in
@ -23,6 +23,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-query { any; };
 	allow-transfer { any; };
 	recursion no;
 	allow-new-zones yes;
 	dnssec-validation no;
--- a/bin/tests/system/addzone/ns3/named2.conf.in
+++ b/bin/tests/system/addzone/ns3/named2.conf.in
@ -23,6 +23,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-query { any; };
 	allow-transfer { any; };
 	recursion no;
 	allow-new-zones yes;
 	dnssec-validation no;
--- a/bin/tests/system/auth/ns1/named.conf.in
+++ b/bin/tests/system/auth/ns1/named.conf.in
@ -25,6 +25,8 @@ options {
 };
 view main in {
 	allow-transfer { any; };
 	zone example.net {
 		type primary;
 		file "example.net.db";
--- a/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@ -24,6 +24,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/cacheclean/ns1/named.conf.in
+++ b/bin/tests/system/cacheclean/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/case/ns1/named.conf.in
+++ b/bin/tests/system/case/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	ixfr-from-differences yes;
--- a/bin/tests/system/case/ns2/named.conf.in
+++ b/bin/tests/system/case/ns2/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	ixfr-from-differences yes;
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
 	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
 	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/catz/ns3/named.conf.in
+++ b/bin/tests/system/catz/ns3/named.conf.in
@ -27,6 +27,7 @@ options {
 	provide-ixfr no;
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { fd92:7065:b8e:ffff::3; };
 	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/catz/ns4/named.conf.in
+++ b/bin/tests/system/catz/ns4/named.conf.in
@ -26,6 +26,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { fd92:7065:b8e:ffff::4; };
 	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
--- a/bin/tests/system/checknames/ns4/named.conf.in
+++ b/bin/tests/system/checknames/ns4/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation yes;
 	check-names primary ignore;
--- a/bin/tests/system/checknames/ns5/named.conf.in
+++ b/bin/tests/system/checknames/ns5/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation yes;
 	check-names master ignore;
--- a/bin/tests/system/dialup/ns1/named.conf.in
+++ b/bin/tests/system/dialup/ns1/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	heartbeat-interval 1;
 	recursion no;
 	dnssec-validation no;
--- a/bin/tests/system/dialup/ns2/named.conf.in
+++ b/bin/tests/system/dialup/ns2/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	heartbeat-interval 1;
 	recursion no;
 	dnssec-validation no;
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/inline/ns1/named.conf.in
+++ b/bin/tests/system/inline/ns1/named.conf.in
@ -23,6 +23,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/inline/ns2/named.conf.in
+++ b/bin/tests/system/inline/ns2/named.conf.in
@ -27,6 +27,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	notify-delay 0;
--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion no;
 	allow-transfer { any; };
 	notify yes;
 	try-tcp-refresh no;
 	notify-delay 0;
--- a/bin/tests/system/inline/ns4/named.conf.in
+++ b/bin/tests/system/inline/ns4/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	notify-delay 0;
--- a/bin/tests/system/ixfr/ns1/named.conf.in
+++ b/bin/tests/system/ixfr/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/ixfr/ns4/named.conf.in
+++ b/bin/tests/system/ixfr/ns4/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/ixfr/ns5/named.conf.in
+++ b/bin/tests/system/ixfr/ns5/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	provide-ixfr no;
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@ -64,6 +64,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "test";
 	dnssec-validation no;
--- a/bin/tests/system/kasp/ns5/named.conf.in
+++ b/bin/tests/system/kasp/ns5/named.conf.in
@ -49,6 +49,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "none";
 	dnssec-validation no;
--- a/bin/tests/system/masterfile/ns1/named.conf.in
+++ b/bin/tests/system/masterfile/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/masterfile/ns2/named.conf.in
+++ b/bin/tests/system/masterfile/ns2/named.conf.in
@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
--- a/bin/tests/system/mirror/ns1/named.conf.in
+++ b/bin/tests/system/mirror/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 };
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 };
--- a/bin/tests/system/notify/ns2/named.conf.in
+++ b/bin/tests/system/notify/ns2/named.conf.in
@ -20,6 +20,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	startup-notify-rate 5;
--- a/bin/tests/system/notify/ns4/named.conf.in
+++ b/bin/tests/system/notify/ns4/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@ -34,6 +34,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	notify yes;
 	dnssec-validation no;
--- a/bin/tests/system/rpz/ns1/named.conf.in
+++ b/bin/tests/system/rpz/ns1/named.conf.in
@ -20,6 +20,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	dnssec-validation no;
--- a/bin/tests/system/rpz/ns10/named.conf.in
+++ b/bin/tests/system/rpz/ns10/named.conf.in
@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns2/named.conf.in
+++ b/bin/tests/system/rpz/ns2/named.conf.in
@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns4/named.conf.in
+++ b/bin/tests/system/rpz/ns4/named.conf.in
@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns5/named.conf.in
+++ b/bin/tests/system/rpz/ns5/named.conf.in
@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	ixfr-from-differences yes;
 	notify-delay 0;
 	notify yes;
--- a/bin/tests/system/rpz/ns6/named.conf.in
+++ b/bin/tests/system/rpz/ns6/named.conf.in
@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	forward only;
 	forwarders { 10.53.0.3; };
 	minimal-responses no;
--- a/bin/tests/system/rpz/ns7/named.conf.in
+++ b/bin/tests/system/rpz/ns7/named.conf.in
@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	minimal-responses no;
 	recursion yes;
 	dnssec-validation yes;
--- a/bin/tests/system/rpz/ns8/named.conf.in
+++ b/bin/tests/system/rpz/ns8/named.conf.in
@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rpz/ns9/named.conf.in
+++ b/bin/tests/system/rpz/ns9/named.conf.in
@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
--- a/bin/tests/system/rrsetorder/ns1/named.conf.in
+++ b/bin/tests/system/rrsetorder/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/serve-stale/ns1/named1.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named1.conf.in
@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 3600;
--- a/bin/tests/system/serve-stale/ns1/named2.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named2.conf.in
@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 3600;
--- a/bin/tests/system/serve-stale/ns1/named3.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named3.conf.in
@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 20;
--- a/bin/tests/system/serve-stale/ns1/named4.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named4.conf.in
@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 20;
--- a/bin/tests/system/timeouts/ns1/named.conf.in
+++ b/bin/tests/system/timeouts/ns1/named.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	dnssec-validation no;
 	recursion no;
 	notify no;
--- a/bin/tests/system/unknown/ns1/named.conf.in
+++ b/bin/tests/system/unknown/ns1/named.conf.in
@ -25,6 +25,8 @@ options {
 };
 view "in" {
 	allow-transfer { any; };
 	zone "example." {
 		type primary;
 		file "example-in.db";
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@ -26,6 +26,7 @@ options {
 	listen-on { 10.53.0.1; };
 	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/upforwd/ns2/named.conf.in
+++ b/bin/tests/system/upforwd/ns2/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/upforwd/ns3/named1.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@ -21,6 +21,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/upforwd/ns3/named2.conf.in
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@ -21,6 +21,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/views/ns2/named1.conf.in
+++ b/bin/tests/system/views/ns2/named1.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/views/ns2/named2.conf.in
+++ b/bin/tests/system/views/ns2/named2.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/views/ns2/named3.conf.in
+++ b/bin/tests/system/views/ns2/named3.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/xfer/ns1/named1.conf.in
+++ b/bin/tests/system/xfer/ns1/named1.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns1/named2.conf.in
+++ b/bin/tests/system/xfer/ns1/named2.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns1/named3.conf.in
+++ b/bin/tests/system/xfer/ns1/named3.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns2/named.conf.in
+++ b/bin/tests/system/xfer/ns2/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns3/named.conf.in
+++ b/bin/tests/system/xfer/ns3/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns4/named.conf.base.in
+++ b/bin/tests/system/xfer/ns4/named.conf.base.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns6/named.conf.in
+++ b/bin/tests/system/xfer/ns6/named.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns7/named.conf.in
+++ b/bin/tests/system/xfer/ns7/named.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xfer/ns8/named.conf.in
+++ b/bin/tests/system/xfer/ns8/named.conf.in
@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@ -255,7 +255,7 @@ status=$((status + tmp))
 n=$((n + 1))
 echo_i "check that a multi-message uncompressable zone transfers ($n)"
-$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out
+$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out || tmp=1
 if test $(wc -l <axfr.out) != 2; then
  echo_i "failed"
  status=$((status + 1))
--- a/bin/tests/system/xferquota/ns1/named.conf.in
+++ b/bin/tests/system/xferquota/ns1/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
--- a/bin/tests/system/xferquota/ns2/named.conf.in
+++ b/bin/tests/system/xferquota/ns2/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
--- a/bin/tests/system/zero/ns2/named.conf.in
+++ b/bin/tests/system/zero/ns2/named.conf.in
@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-validation no;
 	allow-transfer { any; };
 };
 zone "example" {
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -3054,8 +3054,7 @@ for details on how to specify IP address lists.
   This specifies which hosts are allowed to receive zone transfers from the
   server. :any:`allow-transfer` may also be specified in the :any:`zone`
   statement, in which case it overrides the :any:`allow-transfer`
-   statement set in :namedconf:ref:`options` or :any:`view`. If not specified, the
+   statement set in :namedconf:ref:`options` or :any:`view`.
   default is to allow transfers to all hosts.
   The transport level limitations can also be specified. In particular,
   zone transfers can be restricted to a specific port and/or DNS
@ -3068,6 +3067,9 @@ for details on how to specify IP address lists.
   allows outgoing zone transfers to any host using the TLS transport
   over port 853.
   If :any:`allow-transfer` is not specified, then the default is
   ``none``; outgoing zone transfers are disabled.
 .. warning::
   Please note that incoming TLS connections are