Add isc_nm_xfr_allowed() function

The intention of having this function is to have a predicate to check
if a zone transfer could be performed over the given handle. In most
cases we can assume that we can do zone transfers over any stream
transport except DoH, but this assumption will not work for zone
transfers over DoT (XoT), as the RFC9103 requires ALPN to happen,
which might not be the case for all deployments of DoT.

lib/isc/include/isc/netmgr.h

@@ -597,6 +597,15 @@ isc_nm_bad_request(isc_nmhandle_t *handle);
  *  \li 'handle' is a valid netmgr handle object.
  */
 
+bool
+isc_nm_xfr_allowed(isc_nmhandle_t *handle);
+/*%<
+ * Check if it is possible to do a zone transfer over the given handle.
+ *
+ * Requires:
+ * \li	'handle' is a valid connection handle.
+ */
+
 void
 isc_nm_task_enqueue(isc_nm_t *mgr, isc_task_t *task, int threadid);
 /*%<

lib/isc/netmgr/netmgr-int.h

@@ -1580,6 +1580,16 @@ isc__nm_async_tlsdnsread(isc__networker_t *worker, isc__netievent_t *ev0);
  * Callback handlers for asynchronous TLSDNS events.
  */
 
+bool
+isc__nm_tlsdns_xfr_allowed(isc_nmsocket_t *sock);
+/*%<
+ * Check if it is possible to do a zone transfer over the given TLSDNS
+ * socket.
+ *
+ * Requires:
+ * \li	'sock' is a valid TLSDNS socket.
+ */
+
 #if HAVE_LIBNGHTTP2
 void
 isc__nm_tls_send(isc_nmhandle_t *handle, const isc_region_t *region,

lib/isc/netmgr/netmgr.c

@@ -3394,6 +3394,30 @@ isc_nm_bad_request(isc_nmhandle_t *handle) {
 	}
 }
 
+bool
+isc_nm_xfr_allowed(isc_nmhandle_t *handle) {
+	isc_nmsocket_t *sock;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	sock = handle->sock;
+
+	switch (sock->type) {
+	case isc_nm_tcpdnssocket:
+		return (true);
+	case isc_nm_tlsdnssocket:
+		return (isc__nm_tlsdns_xfr_allowed(sock));
+	default:
+		return (false);
+	}
+
+	INSIST(0);
+	ISC_UNREACHABLE();
+
+	return (false);
+}
+
 #ifdef NETMGR_TRACE
 /*
  * Dump all active sockets in netmgr. We output to stderr

lib/isc/netmgr/tlsdns.c

@@ -2029,3 +2029,26 @@ isc__nm_async_tlsdnscancel(isc__networker_t *worker, isc__netievent_t *ev0) {
 
 	isc__nm_failed_read_cb(sock, ISC_R_EOF, false);
 }
+
+/* Zone transfers/updates over TLS are allowed only when "dot" ALPN
+ * was negotiated.
+ *
+ * Per the XoT spec, we must also check that the TLS version is >=
+ * 1.3. The check could be added here. However, we still need to
+ * support platforms where no cryptographic library with TLSv1.3
+ * support is available. As a result of this we cannot be too strict
+ * regarding the minimal TLS protocol version in order to make it
+ * possible to do encrypted zone transfers over TLSv1.2, as it would
+ * not be right to leave users on these platforms without means for
+ * encrypted zone transfers using BIND only.
+ *
+ * The ones requiring strict compatibility with the specification
+ * could disable TLSv1.2 in the configuration file.
+ */
+bool
+isc__nm_tlsdns_xfr_allowed(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tlsdnssocket);
+
+	return (sock->tls.alpn_negotiated);
+}