From: Evan Hunt <each@isc.org>
Date: Thu, 16 May 2024 22:23:22 +0000 (-0700)
Subject: change allow-transfer default to "none"
X-Git-Tag: v9.20.0~12^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3d3d12911bbf602011d3cd4030cae9ea114a52c;p=thirdparty%2Fbind9.git

change allow-transfer default to "none"

Changed the default value for 'allow-transfer' to 'none'; zone
transfers now require explicit authorization.

Updated all system tests to specify an allow-transfer ACL when needed.

Revised the ARM to specify that the default is 'none'.
---

diff --git a/bin/named/config.c b/bin/named/config.c
index 56e58d285a5..38ddc7ca238 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -207,7 +207,7 @@ options {\n\
 	/* zone */\n\
 	allow-query {any;};\n\
 	allow-query-on {any;};\n\
-	allow-transfer {any;};\n\
+	allow-transfer {none;};\n\
 #	also-notify <none>\n\
 	check-integrity yes;\n\
 	check-mx-cname warn;\n\
diff --git a/bin/tests/system/addzone/ns1/named.conf.in b/bin/tests/system/addzone/ns1/named.conf.in
index 8c94791c8a2..30731c46a62 100644
--- a/bin/tests/system/addzone/ns1/named.conf.in
+++ b/bin/tests/system/addzone/ns1/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	allow-query { any; };
 	allow-new-zones yes;
 	recursion no;
diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in
index 117ca76204c..ba7476be932 100644
--- a/bin/tests/system/addzone/ns3/named1.conf.in
+++ b/bin/tests/system/addzone/ns3/named1.conf.in
@@ -23,6 +23,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-query { any; };
+	allow-transfer { any; };
 	recursion no;
 	allow-new-zones yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/addzone/ns3/named2.conf.in b/bin/tests/system/addzone/ns3/named2.conf.in
index 2e95b4c2577..76e4b8a466d 100644
--- a/bin/tests/system/addzone/ns3/named2.conf.in
+++ b/bin/tests/system/addzone/ns3/named2.conf.in
@@ -23,6 +23,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	allow-query { any; };
+	allow-transfer { any; };
 	recursion no;
 	allow-new-zones yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in
index 9d0a517b68d..7fdc1a1524a 100644
--- a/bin/tests/system/auth/ns1/named.conf.in
+++ b/bin/tests/system/auth/ns1/named.conf.in
@@ -25,6 +25,8 @@ options {
 };
 
 view main in {
+	allow-transfer { any; };
+
 	zone example.net {
 		type primary;
 		file "example.net.db";
diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in
index 64214825954..fb76b65dc90 100644
--- a/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in
index eb0b0803861..f4c555b0d76 100644
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 2316de29326..3707a2c7c9d 100644
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -24,6 +24,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/cacheclean/ns1/named.conf.in b/bin/tests/system/cacheclean/ns1/named.conf.in
index 98d2b281be5..fa6fe276b2f 100644
--- a/bin/tests/system/cacheclean/ns1/named.conf.in
+++ b/bin/tests/system/cacheclean/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/case/ns1/named.conf.in b/bin/tests/system/case/ns1/named.conf.in
index fa0d8084d8f..5e90084294a 100644
--- a/bin/tests/system/case/ns1/named.conf.in
+++ b/bin/tests/system/case/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	ixfr-from-differences yes;
diff --git a/bin/tests/system/case/ns2/named.conf.in b/bin/tests/system/case/ns2/named.conf.in
index fe0b52ca7a2..5ea648bfca3 100644
--- a/bin/tests/system/case/ns2/named.conf.in
+++ b/bin/tests/system/case/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	ixfr-from-differences yes;
diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
index 9de019b6b44..bef4751295b 100644
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
index 99055688586..ead45a85afa 100644
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
diff --git a/bin/tests/system/catz/ns3/named.conf.in b/bin/tests/system/catz/ns3/named.conf.in
index 59a75b0a295..934eced2a1b 100644
--- a/bin/tests/system/catz/ns3/named.conf.in
+++ b/bin/tests/system/catz/ns3/named.conf.in
@@ -27,6 +27,7 @@ options {
 	provide-ixfr no;
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in
index 3ac60b2dd88..75cb19e3ea7 100644
--- a/bin/tests/system/catz/ns4/named.conf.in
+++ b/bin/tests/system/catz/ns4/named.conf.in
@@ -26,6 +26,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	allow-transfer { any; };
 	notify no;
 	notify-delay 0;
 	recursion no;
diff --git a/bin/tests/system/checknames/ns4/named.conf.in b/bin/tests/system/checknames/ns4/named.conf.in
index 841bb5904ec..7b121fe6340 100644
--- a/bin/tests/system/checknames/ns4/named.conf.in
+++ b/bin/tests/system/checknames/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation yes;
 	check-names primary ignore;
diff --git a/bin/tests/system/checknames/ns5/named.conf.in b/bin/tests/system/checknames/ns5/named.conf.in
index dec85ec498c..62c870bf7c1 100644
--- a/bin/tests/system/checknames/ns5/named.conf.in
+++ b/bin/tests/system/checknames/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation yes;
 	check-names master ignore;
diff --git a/bin/tests/system/dialup/ns1/named.conf.in b/bin/tests/system/dialup/ns1/named.conf.in
index a9c67775093..75a497bca19 100644
--- a/bin/tests/system/dialup/ns1/named.conf.in
+++ b/bin/tests/system/dialup/ns1/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	heartbeat-interval 1;
 	recursion no;
 	dnssec-validation no;
diff --git a/bin/tests/system/dialup/ns2/named.conf.in b/bin/tests/system/dialup/ns2/named.conf.in
index 166b463189a..495e2670584 100644
--- a/bin/tests/system/dialup/ns2/named.conf.in
+++ b/bin/tests/system/dialup/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	heartbeat-interval 1;
 	recursion no;
 	dnssec-validation no;
diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in
index 6a3e6ca4a7c..6e9ccf68a92 100644
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
index f3675f4c314..d8f45a825a5 100644
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/inline/ns1/named.conf.in b/bin/tests/system/inline/ns1/named.conf.in
index da27c58c87a..897e764ef96 100644
--- a/bin/tests/system/inline/ns1/named.conf.in
+++ b/bin/tests/system/inline/ns1/named.conf.in
@@ -23,6 +23,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in
index e367b6052fc..30c8af3e8f2 100644
--- a/bin/tests/system/inline/ns2/named.conf.in
+++ b/bin/tests/system/inline/ns2/named.conf.in
@@ -27,6 +27,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	notify-delay 0;
diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in
index ff91985cf47..8c6a41c0348 100644
--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion no;
+	allow-transfer { any; };
 	notify yes;
 	try-tcp-refresh no;
 	notify-delay 0;
diff --git a/bin/tests/system/inline/ns4/named.conf.in b/bin/tests/system/inline/ns4/named.conf.in
index c0745f40ffb..42a21bdcedf 100644
--- a/bin/tests/system/inline/ns4/named.conf.in
+++ b/bin/tests/system/inline/ns4/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	notify-delay 0;
diff --git a/bin/tests/system/ixfr/ns1/named.conf.in b/bin/tests/system/ixfr/ns1/named.conf.in
index 48fc1cd01cb..1bf58a7f3cd 100644
--- a/bin/tests/system/ixfr/ns1/named.conf.in
+++ b/bin/tests/system/ixfr/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/ixfr/ns4/named.conf.in b/bin/tests/system/ixfr/ns4/named.conf.in
index ae6657e13e9..83cc318ec24 100644
--- a/bin/tests/system/ixfr/ns4/named.conf.in
+++ b/bin/tests/system/ixfr/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/ixfr/ns5/named.conf.in b/bin/tests/system/ixfr/ns5/named.conf.in
index e1056fc589a..03c8f86732d 100644
--- a/bin/tests/system/ixfr/ns5/named.conf.in
+++ b/bin/tests/system/ixfr/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	provide-ixfr no;
diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in
index dd245ca9194..df02b2d4629 100644
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@@ -64,6 +64,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "test";
 	dnssec-validation no;
diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in
index 643e6494c6e..958510359d3 100644
--- a/bin/tests/system/kasp/ns5/named.conf.in
+++ b/bin/tests/system/kasp/ns5/named.conf.in
@@ -49,6 +49,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-policy "none";
 	dnssec-validation no;
diff --git a/bin/tests/system/masterfile/ns1/named.conf.in b/bin/tests/system/masterfile/ns1/named.conf.in
index 4203aae917c..788eaa646b0 100644
--- a/bin/tests/system/masterfile/ns1/named.conf.in
+++ b/bin/tests/system/masterfile/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/masterfile/ns2/named.conf.in b/bin/tests/system/masterfile/ns2/named.conf.in
index e1e8dc2bf6b..6333b05f40d 100644
--- a/bin/tests/system/masterfile/ns2/named.conf.in
+++ b/bin/tests/system/masterfile/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/mirror/ns1/named.conf.in b/bin/tests/system/mirror/ns1/named.conf.in
index 22173f7996c..32f6d2e29c0 100644
--- a/bin/tests/system/mirror/ns1/named.conf.in
+++ b/bin/tests/system/mirror/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 };
diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in
index 7eaed5b11f2..57261bfc073 100644
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 };
diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in
index 3f16e229dbe..a71a799ce1d 100644
--- a/bin/tests/system/notify/ns2/named.conf.in
+++ b/bin/tests/system/notify/ns2/named.conf.in
@@ -20,6 +20,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	notify yes;
 	startup-notify-rate 5;
diff --git a/bin/tests/system/notify/ns4/named.conf.in b/bin/tests/system/notify/ns4/named.conf.in
index 2f0b930b425..ce6373d6056 100644
--- a/bin/tests/system/notify/ns4/named.conf.in
+++ b/bin/tests/system/notify/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	notify yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
index 3104bc7b6ae..5bdaa57456b 100644
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -34,6 +34,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	notify yes;
 	dnssec-validation no;
diff --git a/bin/tests/system/rpz/ns1/named.conf.in b/bin/tests/system/rpz/ns1/named.conf.in
index 8b466f0f369..e7af61d0737 100644
--- a/bin/tests/system/rpz/ns1/named.conf.in
+++ b/bin/tests/system/rpz/ns1/named.conf.in
@@ -20,6 +20,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	dnssec-validation no;
diff --git a/bin/tests/system/rpz/ns10/named.conf.in b/bin/tests/system/rpz/ns10/named.conf.in
index d645e381c7a..2cbb6ee838a 100644
--- a/bin/tests/system/rpz/ns10/named.conf.in
+++ b/bin/tests/system/rpz/ns10/named.conf.in
@@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in
index 9b2ab3a81f0..617edd9e9d2 100644
--- a/bin/tests/system/rpz/ns2/named.conf.in
+++ b/bin/tests/system/rpz/ns2/named.conf.in
@@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
index b2ba42720c0..51caae34313 100644
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
diff --git a/bin/tests/system/rpz/ns4/named.conf.in b/bin/tests/system/rpz/ns4/named.conf.in
index 909f1c63aac..a5ef523ced3 100644
--- a/bin/tests/system/rpz/ns4/named.conf.in
+++ b/bin/tests/system/rpz/ns4/named.conf.in
@@ -20,6 +20,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify no;
 	minimal-responses no;
 	recursion yes;
diff --git a/bin/tests/system/rpz/ns5/named.conf.in b/bin/tests/system/rpz/ns5/named.conf.in
index 58b591b70dd..e24d80e0064 100644
--- a/bin/tests/system/rpz/ns5/named.conf.in
+++ b/bin/tests/system/rpz/ns5/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	ixfr-from-differences yes;
 	notify-delay 0;
 	notify yes;
diff --git a/bin/tests/system/rpz/ns6/named.conf.in b/bin/tests/system/rpz/ns6/named.conf.in
index 5c4b77437f9..09101eec06c 100644
--- a/bin/tests/system/rpz/ns6/named.conf.in
+++ b/bin/tests/system/rpz/ns6/named.conf.in
@@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	forward only;
 	forwarders { 10.53.0.3; };
 	minimal-responses no;
diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in
index 3aed1a2bb1a..1eb209e3f3b 100644
--- a/bin/tests/system/rpz/ns7/named.conf.in
+++ b/bin/tests/system/rpz/ns7/named.conf.in
@@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	minimal-responses no;
 	recursion yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/rpz/ns8/named.conf.in b/bin/tests/system/rpz/ns8/named.conf.in
index 87f6c8e3526..de4b2a411b3 100644
--- a/bin/tests/system/rpz/ns8/named.conf.in
+++ b/bin/tests/system/rpz/ns8/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
diff --git a/bin/tests/system/rpz/ns9/named.conf.in b/bin/tests/system/rpz/ns9/named.conf.in
index 6010082c8fc..5740193aeeb 100644
--- a/bin/tests/system/rpz/ns9/named.conf.in
+++ b/bin/tests/system/rpz/ns9/named.conf.in
@@ -25,6 +25,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	notify yes;
 	minimal-responses no;
 	recursion yes;
diff --git a/bin/tests/system/rrsetorder/ns1/named.conf.in b/bin/tests/system/rrsetorder/ns1/named.conf.in
index 98301c2e5b1..2f1850d1d7f 100644
--- a/bin/tests/system/rrsetorder/ns1/named.conf.in
+++ b/bin/tests/system/rrsetorder/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
diff --git a/bin/tests/system/serve-stale/ns1/named1.conf.in b/bin/tests/system/serve-stale/ns1/named1.conf.in
index d25611db021..5b20f4afa4e 100644
--- a/bin/tests/system/serve-stale/ns1/named1.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named1.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 3600;
diff --git a/bin/tests/system/serve-stale/ns1/named2.conf.in b/bin/tests/system/serve-stale/ns1/named2.conf.in
index 82e5e76550c..d0bfdbe858f 100644
--- a/bin/tests/system/serve-stale/ns1/named2.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named2.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 3600;
diff --git a/bin/tests/system/serve-stale/ns1/named3.conf.in b/bin/tests/system/serve-stale/ns1/named3.conf.in
index 4f6f17573a7..22078635e08 100644
--- a/bin/tests/system/serve-stale/ns1/named3.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named3.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 20;
diff --git a/bin/tests/system/serve-stale/ns1/named4.conf.in b/bin/tests/system/serve-stale/ns1/named4.conf.in
index f2cc2a853c2..9bf2f76710b 100644
--- a/bin/tests/system/serve-stale/ns1/named4.conf.in
+++ b/bin/tests/system/serve-stale/ns1/named4.conf.in
@@ -28,6 +28,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	max-stale-ttl 20;
diff --git a/bin/tests/system/timeouts/ns1/named.conf.in b/bin/tests/system/timeouts/ns1/named.conf.in
index b7d468b3822..b093f86b1aa 100644
--- a/bin/tests/system/timeouts/ns1/named.conf.in
+++ b/bin/tests/system/timeouts/ns1/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	dnssec-validation no;
 	recursion no;
 	notify no;
diff --git a/bin/tests/system/unknown/ns1/named.conf.in b/bin/tests/system/unknown/ns1/named.conf.in
index a4b98db7afb..23fb632575a 100644
--- a/bin/tests/system/unknown/ns1/named.conf.in
+++ b/bin/tests/system/unknown/ns1/named.conf.in
@@ -25,6 +25,8 @@ options {
 };
 
 view "in" {
+	allow-transfer { any; };
+
 	zone "example." {
 		type primary;
 		file "example-in.db";
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 721f4fe3407..79d66c2fa40 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -26,6 +26,7 @@ options {
 	listen-on { 10.53.0.1; };
 	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/upforwd/ns2/named.conf.in b/bin/tests/system/upforwd/ns2/named.conf.in
index 2322aa19846..06cd8e5bb8a 100644
--- a/bin/tests/system/upforwd/ns2/named.conf.in
+++ b/bin/tests/system/upforwd/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/upforwd/ns3/named1.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
index b1e42f71cd1..df51f7bb2c2 100644
--- a/bin/tests/system/upforwd/ns3/named1.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -21,6 +21,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
index 1fe3e0488a0..074c40a7513 100644
--- a/bin/tests/system/upforwd/ns3/named2.conf.in
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -21,6 +21,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/views/ns2/named1.conf.in b/bin/tests/system/views/ns2/named1.conf.in
index cab21869c8e..4fd3ee55013 100644
--- a/bin/tests/system/views/ns2/named1.conf.in
+++ b/bin/tests/system/views/ns2/named1.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/views/ns2/named2.conf.in b/bin/tests/system/views/ns2/named2.conf.in
index ac861347a0c..de312f10a5e 100644
--- a/bin/tests/system/views/ns2/named2.conf.in
+++ b/bin/tests/system/views/ns2/named2.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/views/ns2/named3.conf.in b/bin/tests/system/views/ns2/named3.conf.in
index d84cda96921..4c25f30c75d 100644
--- a/bin/tests/system/views/ns2/named3.conf.in
+++ b/bin/tests/system/views/ns2/named3.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
diff --git a/bin/tests/system/xfer/ns1/named1.conf.in b/bin/tests/system/xfer/ns1/named1.conf.in
index 469e085d116..1f010ff8886 100644
--- a/bin/tests/system/xfer/ns1/named1.conf.in
+++ b/bin/tests/system/xfer/ns1/named1.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns1/named2.conf.in b/bin/tests/system/xfer/ns1/named2.conf.in
index 401de479eca..3803b49056f 100644
--- a/bin/tests/system/xfer/ns1/named2.conf.in
+++ b/bin/tests/system/xfer/ns1/named2.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns1/named3.conf.in b/bin/tests/system/xfer/ns1/named3.conf.in
index b195986cdac..f22dd736403 100644
--- a/bin/tests/system/xfer/ns1/named3.conf.in
+++ b/bin/tests/system/xfer/ns1/named3.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns2/named.conf.in b/bin/tests/system/xfer/ns2/named.conf.in
index 6cb056b2a2c..761e112893a 100644
--- a/bin/tests/system/xfer/ns2/named.conf.in
+++ b/bin/tests/system/xfer/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns3/named.conf.in b/bin/tests/system/xfer/ns3/named.conf.in
index b071e0cb330..1ee07d8bc61 100644
--- a/bin/tests/system/xfer/ns3/named.conf.in
+++ b/bin/tests/system/xfer/ns3/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion yes;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns4/named.conf.base.in b/bin/tests/system/xfer/ns4/named.conf.base.in
index e982715a5e2..4f98d4e4df7 100644
--- a/bin/tests/system/xfer/ns4/named.conf.base.in
+++ b/bin/tests/system/xfer/ns4/named.conf.base.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns6/named.conf.in b/bin/tests/system/xfer/ns6/named.conf.in
index 142383c89a8..8fd14bd7b1e 100644
--- a/bin/tests/system/xfer/ns6/named.conf.in
+++ b/bin/tests/system/xfer/ns6/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns7/named.conf.in b/bin/tests/system/xfer/ns7/named.conf.in
index 41ea1cbc2a2..5861106633b 100644
--- a/bin/tests/system/xfer/ns7/named.conf.in
+++ b/bin/tests/system/xfer/ns7/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xfer/ns8/named.conf.in b/bin/tests/system/xfer/ns8/named.conf.in
index 88e738c1216..3d476ba3661 100644
--- a/bin/tests/system/xfer/ns8/named.conf.in
+++ b/bin/tests/system/xfer/ns8/named.conf.in
@@ -25,6 +25,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
index 76b51dfd6be..950268def41 100755
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -255,7 +255,7 @@ status=$((status + tmp))
 
 n=$((n + 1))
 echo_i "check that a multi-message uncompressable zone transfers ($n)"
-$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out
+$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out || tmp=1
 if test $(wc -l <axfr.out) != 2; then
   echo_i "failed"
   status=$((status + 1))
diff --git a/bin/tests/system/xferquota/ns1/named.conf.in b/bin/tests/system/xferquota/ns1/named.conf.in
index e868318ae6b..67f2e63f405 100644
--- a/bin/tests/system/xferquota/ns1/named.conf.in
+++ b/bin/tests/system/xferquota/ns1/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
diff --git a/bin/tests/system/xferquota/ns2/named.conf.in b/bin/tests/system/xferquota/ns2/named.conf.in
index a82fa44c2bd..6aaf525901c 100644
--- a/bin/tests/system/xferquota/ns2/named.conf.in
+++ b/bin/tests/system/xferquota/ns2/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
+	allow-transfer { any; };
 	recursion no;
 	dnssec-validation no;
 	notify no;
diff --git a/bin/tests/system/zero/ns2/named.conf.in b/bin/tests/system/zero/ns2/named.conf.in
index 751eafdb0b3..66291469001 100644
--- a/bin/tests/system/zero/ns2/named.conf.in
+++ b/bin/tests/system/zero/ns2/named.conf.in
@@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-validation no;
+	allow-transfer { any; };
 };
 
 zone "example" {
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 0e545295dbc..4c0cc55e581 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3054,8 +3054,7 @@ for details on how to specify IP address lists.
    This specifies which hosts are allowed to receive zone transfers from the
    server. :any:`allow-transfer` may also be specified in the :any:`zone`
    statement, in which case it overrides the :any:`allow-transfer`
-   statement set in :namedconf:ref:`options` or :any:`view`. If not specified, the
-   default is to allow transfers to all hosts.
+   statement set in :namedconf:ref:`options` or :any:`view`.
 
    The transport level limitations can also be specified. In particular,
    zone transfers can be restricted to a specific port and/or DNS
@@ -3068,6 +3067,9 @@ for details on how to specify IP address lists.
    allows outgoing zone transfers to any host using the TLS transport
    over port 853.
 
+   If :any:`allow-transfer` is not specified, then the default is
+   ``none``; outgoing zone transfers are disabled.
+
 .. warning::
 
    Please note that incoming TLS connections are