filter-a(8)

1FILTER-A(8)                         BIND 9                         FILTER-A(8)
2
3
4

NAME

6       filter-a - filter A in DNS responses when AAAA is present
7

SYNOPSIS

9       plugin query "filter-a.so" [{ parameters }];
10

DESCRIPTION

12       filter-a.so  is a query plugin module for named, enabling named to omit
13       some IPv4 addresses when responding to clients.
14
15       For example:
16
17          plugin query "filter-a.so" {
18                  filter-a-on-v6 yes;
19                  filter-a-on-v4 yes;
20                  filter-a { 192.0.2.1; 2001:db8:2::1; };
21          };
22
23       This module is intended to aid transition from IPv4 to  IPv6  by  with‐
24       holding  IPv4 addresses from DNS clients which are not connected to the
25       IPv4 Internet, when the name being looked up has an IPv6 address avail‐
26       able.  Use  of  this module is not recommended unless absolutely neces‐
27       sary.
28
29       Note: This mechanism can erroneously cause other servers not to give  A
30       records to their clients. If a recursing server with both IPv6 and IPv4
31       network connections queries an authoritative server using  this  mecha‐
32       nism via IPv6, it is denied A records even if its client is using IPv4.
33

OPTIONS

35       filter-a
36              This  option  specifies  a  list of client addresses for which A
37              filtering is to be applied. The default is any.
38
39       filter-a-on-v6
40              If set to yes, this option indicates that the DNS client  is  at
41              an  IPv6  address, in filter-a. If the response does not include
42              DNSSEC signatures, then all A records are deleted from  the  re‐
43              sponse.  This  filtering  applies to all responses, not only au‐
44              thoritative ones.
45
46              If set to break-dnssec, then A records  are  deleted  even  when
47              DNSSEC is enabled. As suggested by the name, this causes the re‐
48              sponse to fail to verify, because the  DNSSEC  protocol  is  de‐
49              signed to detect deletions.
50
51              This mechanism can erroneously cause other servers not to give A
52              records to their clients. If a recursing server with  both  IPv6
53              and IPv4 network connections queries an authoritative server us‐
54              ing this mechanism via IPv6, it is denied A records even if  its
55              client is using IPv4.
56
57       filter-a-on-v4
58              This  option is identical to filter-a-on-v6, except that it fil‐
59              ters A responses to queries from IPv4 clients  instead  of  IPv6
60              clients. To filter all responses, set both options to yes.
61

AUTHOR

66       Internet Systems Consortium
67

COPYRIGHT

69       2023, Internet Systems Consortium
70
71
72
73
749.18.11                                                            FILTER-A(8)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

SEE ALSO

AUTHOR

COPYRIGHT