1FILTER-AAAA(8)                      BIND 9                      FILTER-AAAA(8)
2
3
4

NAME

6       filter-aaaa - filter AAAA in DNS responses when A is present
7

SYNOPSIS

9       plugin query "filter-aaaa.so" [{ parameters }];
10

DESCRIPTION

12       filter-aaaa.so  is  a  query plugin module for named, enabling named to
13       omit some IPv6 addresses when responding to clients.
14
15       Until BIND 9.12, this feature was implemented natively in named and en‐
16       abled  with  the  filter-aaaa  ACL  and  the filter-aaaa-on-v4 and fil‐
17       ter-aaaa-on-v6 options. These options are now deprecated in  named.conf
18       but can be passed as parameters to the filter-aaaa.so plugin, for exam‐
19       ple:
20
21          plugin query "/usr/local/lib/filter-aaaa.so" {
22                  filter-aaaa-on-v4 yes;
23                  filter-aaaa-on-v6 yes;
24                  filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
25          };
26
27       This module is intended to aid transition from IPv4 to  IPv6  by  with‐
28       holding  IPv6 addresses from DNS clients which are not connected to the
29       IPv6 Internet, when the name being looked up has an IPv4 address avail‐
30       able.  Use  of  this module is not recommended unless absolutely neces‐
31       sary.
32
33       Note: This mechanism can erroneously cause other servers  not  to  give
34       AAAA records to their clients. If a recursing server with both IPv6 and
35       IPv4 network connections queries an  authoritative  server  using  this
36       mechanism via IPv4, it is denied AAAA records even if its client is us‐
37       ing IPv6.
38

OPTIONS

40       filter-aaaa
41              This option specifies a list of client addresses for which  AAAA
42              filtering is to be applied. The default is any.
43
44       filter-aaaa-on-v4
45              If  set  to yes, this option indicates that the DNS client is at
46              an IPv4 address, in filter-aaaa. If the response  does  not  in‐
47              clude  DNSSEC signatures, then all AAAA records are deleted from
48              the response. This filtering applies to all responses, not  only
49              authoritative ones.
50
51              If  set to break-dnssec, then AAAA records are deleted even when
52              DNSSEC is enabled. As suggested by the name, this causes the re‐
53              sponse  to  fail  to  verify, because the DNSSEC protocol is de‐
54              signed to detect deletions.
55
56              This mechanism can erroneously cause other servers not  to  give
57              AAAA  records  to their clients. If a recursing server with both
58              IPv6 and  IPv4  network  connections  queries  an  authoritative
59              server  using this mechanism via IPv4, it is denied AAAA records
60              even if its client is using IPv6.
61
62       filter-aaaa-on-v6
63              This option is identical to filter-aaaa-on-v4,  except  that  it
64              filters  AAAA  responses to queries from IPv6 clients instead of
65              IPv4 clients. To filter all responses, set both options to yes.
66

SEE ALSO

68       BIND 9 Administrator Reference Manual.
69

AUTHOR

71       Internet Systems Consortium
72
74       2021, Internet Systems Consortium
75
76
77
78
799.16.23-RH                                                      FILTER-AAAA(8)
Impressum