filter-aaaa(8)



FILTER-AAAA(8)                      BIND 9                      FILTER-AAAA(8)

NAME
       filter-aaaa - filter AAAA in DNS responses when A is present

SYNOPSIS
       plugin query "filter-aaaa.so" [{ parameters }];

DESCRIPTION
       filter-aaaa.so  is  a  query plugin module for named, enabling named to
       omit some IPv6 addresses when responding to clients.

       Until BIND 9.12, this feature was implemented natively in named and en-
       abled  with  the  filter-aaaa  ACL  and  the filter-aaaa-on-v4 and fil-
       ter-aaaa-on-v6 options. These options are now deprecated in named.conf,
       but can be passed as parameters to the filter-aaaa.so plugin, for exam-
       ple:

          plugin query "/usr/local/lib/filter-aaaa.so" {
                  filter-aaaa-on-v4 yes;
                  filter-aaaa-on-v6 yes;
                  filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
          };

       This module is intended to aid transition from IPv4 to  IPv6  by  with-
       holding  IPv6 addresses from DNS clients which are not connected to the
       IPv6 Internet, when the name being looked up has an IPv4 address avail-
       able.  Use  of  this module is not recommended unless absolutely neces-
       sary.

       Note: This mechanism can erroneously cause other servers  not  to  give
       AAAA records to their clients. If a recursing server with both IPv6 and
       IPv4 network connections queries an  authoritative  server  using  this
       mechanism  via  IPv4, it will be denied AAAA records even if its client
       is using IPv6.

OPTIONS
       filter-aaaa
              Specifies a list of client addresses for which AAAA filtering is
              to be applied. The default is any.

       filter-aaaa-on-v4
              If  set  to  yes,  the DNS client is at an IPv4 address, in fil-
              ter-aaaa, and if the response does  not  include  DNSSEC  signa-
              tures, then all AAAA records are deleted from the response. This
              filtering applies to all responses and  not  only  authoritative
              responses.

              If  set to break-dnssec, then AAAA records are deleted even when
              DNSSEC is enabled. As suggested by the name, this causes the re-
              sponse  to  fail  to  verify, because the DNSSEC protocol is de-
              signed to detect deletions.

              This mechanism can erroneously cause other servers not  to  give
              AAAA records to their clients. A recursing server with both IPv6
              and IPv4  network  connections  that  queries  an  authoritative
              server using this mechanism via IPv4 will be denied AAAA records
              even if its client is using IPv6.

       filter-aaaa-on-v6
              Identical to filter-aaaa-on-v4, except it filters AAAA responses
              to  queries from IPv6 clients instead of IPv4 clients. To filter
              all responses, set both options to yes.

SEE ALSO
       BIND 9 Administrator Reference Manual.

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       2020, Internet Systems Consortium

9.16.8-Debian                     2020-10-13                    FILTER-AAAA(8)

Man(1) output converted with man2html
list of all man pages