filter-aaaa - filter AAAA in DNS responses when A is present
plugin query "filter-aaaa.so" [{ parameters }];
FILTER-AAAA(8) BIND 9 FILTER-AAAA(8)
NAME
filter-aaaa - filter AAAA in DNS responses when A is present
SYNOPSIS
plugin query "filter-aaaa.so" [{ parameters }];
DESCRIPTION
filter-aaaa.so is a query plugin module for named, enabling named to
omit some IPv6 addresses when responding to clients.
Until BIND 9.12, this feature was implemented natively in named and
enabled with the filter-aaaa ACL and the filter-aaaa-on-v4 and fil-
ter-aaaa-on-v6 options. These options are now deprecated in named.conf
but can be passed as parameters to the filter-aaaa.so plugin, for exam-
ple:
plugin query "/usr/local/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa-on-v6 yes;
filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
};
This module is intended to aid transition from IPv4 to IPv6 by with-
holding IPv6 addresses from DNS clients which are not connected to the
IPv6 Internet, when the name being looked up has an IPv4 address avail-
able. Use of this module is not recommended unless absolutely neces-
sary.
Note: This mechanism can erroneously cause other servers not to give
AAAA records to their clients. If a recursing server with both IPv6 and
IPv4 network connections queries an authoritative server using this
mechanism via IPv4, it is denied AAAA records even if its client is
using IPv6.
OPTIONS
filter-aaaa
This option specifies a list of client addresses for which AAAA
filtering is to be applied. The default is any.
filter-aaaa-on-v4
If set to yes, this option indicates that the DNS client is at
an IPv4 address, in filter-aaaa. If the response does not
include DNSSEC signatures, then all AAAA records are deleted
from the response. This filtering applies to all responses, not
only authoritative ones.
If set to break-dnssec, then AAAA records are deleted even when
DNSSEC is enabled. As suggested by the name, this causes the
response to fail to verify, because the DNSSEC protocol is
designed to detect deletions.
This mechanism can erroneously cause other servers not to give
AAAA records to their clients. If a recursing server with both
IPv6 and IPv4 network connections queries an authoritative
server using this mechanism via IPv4, it is denied AAAA records
even if its client is using IPv6.
filter-aaaa-on-v6
This option is identical to filter-aaaa-on-v4, except that it
filters AAAA responses to queries from IPv6 clients instead of
IPv4 clients. To filter all responses, set both options to yes.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+--------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+--------------------------+
|Availability | network/dns/bind |
+---------------+--------------------------+
|Stability | Pass-through uncommitted |
+---------------+--------------------------+
SEE ALSO
BIND 9 Administrator Reference Manual.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2022, Internet Systems Consortium
NOTES
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from
http://ftp.isc.org/isc/bind9/9.16.29/bind-9.16.29.tar.xz.
Further information about this software can be found on the open source
community website at http://www.isc.org/software/bind/.
9.16.29 2022-05-10 FILTER-AAAA(8)