---
title: "Filter AAAA option in BIND 9"
slug: "aa-00576"
description: "When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions.  This filtering does not affect the recursive queries made by the server (if any) as a result of the client request."
tags: ["IPv6", "bind 9"]
updated: 2018-10-16T14:30:29Z
published: 2018-10-16T14:30:29Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Filter AAAA option in BIND 9

### AAAA Filtering

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions. This filtering does not affect the recursive queries made by the server (if any) as a result of the client request.

To use this filtering, the following conditions must be met:

- BIND 9 must be compiled with a special build-time option (`./configure --enable-filter-aaaa`), and
- an options statement to enable it (for example, `filter-aaaa-on-v4 yes;` and/or `filter-aaaa-on-v6 yes;`) must be declared in `named.conf`.
- the client must not be blocked in the `filter-aaaa` ACL (this defaults to `any`, so is not generally the case)

If AAAA filtering is active for a given transport, and a query for type AAAA or ANY is received via that transport, then AAAA records will be omitted from the response, UNLESS the response is DNSSEC-signed.

If `filter-aaaa-on-v4` or `filter-aaaa-on-v6` is set to `break-dnssec` instead of `yes`, then AAAA records will be omitted even if they are signed. RRSIG records covering type AAAA will be omitted as well.