Document from CISA

https://www.cisa.gov/resources-tools/resources/encrypted-dns-implementation-guidance

Page 31. Agencies should, where possible, use mutual TLS authentication so that both the server providing the zone
information and the server receiving it can verify that they are talking to an authorized party.

Goal

• Support TLS mutual authentication in zone transfer

• • As an secondary server operator, I Want to use TLS with mutual authentication for zone transfers, so that zero trust operation guidelines apply.

Acceptance Criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• Verify bind can be configured to accept TLS zone transfers only
• Verify bind verified server TLS certificate and accepts only correct name and CA
• Verify bind can send client TLS certificate to server, when initiating zone transfer
• Verify bind can refuse zone transfers without client certificate or when it is not signed by trusted CA.
• Verify dig can provide client TLS certificate on AXFR or IXFR requests

It should be possible to use shared secret via TSIG signatures to verify clients now. That uses hmac based keys. But it does not scale well when number of zone transfer clients is not small. Which might be RPZ zones for example.