Knowledge Base ISC Main Website Ask a Question/Contact ISC
Filter AAAA option in BIND 9
Author: Michael Graff Reference Number: AA-00576 Views: 16427 Created: 2011-12-22 22:42 Last Updated: 2013-10-08 19:37 0 Rating/ Voters

Executive Summary

BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client based on the transport used for the query, and other filtering conditions.  This filtering does not affect the recursive queries made by the server (if any) as a result of the client request.

In order to use this filtering, both of the following conditions must be met:

  • BIND 9 must be compiled with a special build-time option (./configure --enable-filter-aaaa), and 
  • an options statement to enable it (filter-aaaa-on-v4 yes;) must be declared in named.conf.

This document describes the behavior observed with this option enabled, from various query sources and various query types.

Zone Contents and Server Configuration

The zone with the test records is under a personal domain of mine, served from ISC's SNS servers. The zone name is aaaa-filter-test.flame.org and is DNSSEC signed.

The zone contains many records, all of the format a-N-aaaa-M, which contain N "A" records and M "AAAA" records. Both N and M range from 0 to 5. For example, a-1-aaaa-4 will have 1 A record and 4 AAAA records.

The test server is a development snapshot which closely mimics 9.7.1b1 in behavior. DNSSEC is enabled through ISC's DLV (DNSSEC Look-aside Validation) system.

Methodology

The loopback IPv4 and IPv6 addresses were used to send queries to the server under test. Several types of queries were sent for each name. One query for A, AAAA, and ANY were sent (in that order.) DNSSEC records were requested or not. Note in all cases the server was allowed to validate the answers it received from the remote host.

A Ruby script was used to quickly send all the queries and generate the tables shown below.

filter-aaaa on, IPv4 source, +dnssec

Query Answer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
AAAA records absent 
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERROREmptyNSEC, RRSIG, SOAOPTYes
ANYNOERRORA, NSEC, RRSIGNS, RRSIGOPTYes
a-4-aaaa-4

A records present and 
AAAA records present 
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORA, AAAA, RRSIGNS, RRSIGOPTYes
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptyNSEC, RRSIG, SOAOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORAAAA, NSEC, RRSIGNS, RRSIGOPTYes

filter-aaaa on, IPv6 source, +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
AAAA records absent 
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERROREmptyNSEC, RRSIG, SOAOPTYes
ANYNOERRORA, NSEC, RRSIGNS, RRSIGOPTYes
a-4-aaaa-4

A records present and 
AAAA records present
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORA, AAAA, RRSIGNS, RRSIGOPTYes
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptyNSEC, RRSIG, SOAOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORAAAA, NSEC, RRSIGNS, RRSIGOPTYes

filter-aaaa on, IPv4 source, no +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
 AAAA records absent 
ANOERRORANSOPTNo
AAAANOERROREmptySOAOPTNo
ANYNOERRORA, NSEC, RRSIGNSOPTNo
a-4-aaaa-4

A records present and 
 AAAA records present 
ANOERRORANSOPTNo
AAAANOERROREmptyNSOPTNo
ANYNOERRORA, RRSIGNSOPTNo
a-0-aaaa-4

A records absent but
AAAA records present 
ANOERROREmptySOAOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORNSEC, RRSIGNSOPTNo

filter-aaaa on, IPv6 source, no +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
 AAAA records absent 
ANOERRORANSOPTNo
AAAANOERROREmptySOAOPTNo
ANYNOERRORA, NSEC, RRSIGNSOPTNo
a-4-aaaa-4

A records present and 
 AAAA records present 
ANOERRORANSOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORA, AAAA, RRSIGNSOPTNo
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptySOAOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORAAAA, NSEC, RRSIGNSOPTNo

filter-aaaa off, IPv4 source, +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
 AAAA records absent 
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERROREmptyNSEC, RRSIG, SOAOPTYes
ANYNOERRORA, NSEC, RRSIGNS, RRSIGOPTYes
a-4-aaaa-4

A records present and 
AAAA records present
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORA, AAAA, RRSIGNS, RRSIGOPTYes
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptyNSEC, RRSIG, SOAOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORAAAA, NSEC, RRSIGNS, RRSIGOPTYes

filter-aaaa off, IPv6 source, +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
 AAAA records absent 
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERROREmptyNSEC, RRSIG, SOAOPTYes
ANYNOERRORA, NSEC, RRSIGNS, RRSIGOPTYes
a-4-aaaa-4

A records present and 
AAAA records present
ANOERRORA, RRSIGNS, RRSIGOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORA, AAAA, RRSIGNS, RRSIGOPTYes
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptyNSEC, RRSIG, SOAOPTYes
AAAANOERRORAAAA, RRSIGNS, RRSIGOPTYes
ANYNOERRORAAAA, NSEC, RRSIGNS, RRSIGOPTYes

filter-aaaa off, IPv4 source, no +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
 AAAA records absent 
ANOERRORANSOPTNo
AAAANOERROREmptySOAOPTNo
ANYNOERRORA, NSEC, RRSIGNSOPTNo
a-4-aaaa-4

A records present and 
AAAA records present
ANOERRORANSOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORA, AAAA, RRSIGNSOPTNo
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptySOAOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORAAAA, NSEC, RRSIGNSOPTNo

filter-aaaa off, IPv6 source, no +dnssec

QueryAnswer
NameTypeResultAnswer sectionAuthorityAdditional sectionAD bit set?
a-4-aaaa-0

A records present but
 AAAA records absent 
ANOERRORANSOPTNo
AAAANOERROREmptySOAOPTNo
ANYNOERRORA, NSEC, RRSIGNSOPTNo
a-4-aaaa-4

A records present and 
AAAA records present
ANOERRORANSOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORA, AAAA, RRSIGNSOPTNo
a-0-aaaa-4

A records absent but
 AAAA records present 
ANOERROREmptySOAOPTNo
AAAANOERRORAAAANSOPTNo
ANYNOERRORAAAA, NSEC, RRSIGNSOPTNo


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 2
  • #
    [Paul Ebersman]: 2013-01-28 15:23

    Should make it clear that this option merely filters responses to clients; it does not limit what queries the recursive server makes to auth servers. ie. if the hope is to cut down on recursive DNS traffic to the internet for AAAA/ip6.arpa requests, this is not the droid you're looking for.

  • #
    [Brian Conry]: Re: 2013-08-14 21:23

    That is a very good point. Do the most recent edits make that clear?

Quick Jump Menu