Filter AAAA option in BIND 9
  • 16 Oct 2018
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

Filter AAAA option in BIND 9

  • Dark
    Light
  • PDF

Article Summary

AAAA Filtering

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions.  This filtering does not affect the recursive queries made by the server (if any) as a result of the client request.

To use this filtering, the following conditions must be met:

  • BIND 9 must be compiled with a special build-time option (./configure --enable-filter-aaaa), and
  • an options statement to enable it (for example, filter-aaaa-on-v4 yes; and/or filter-aaaa-on-v6 yes;) must be declared in named.conf.
  • the client must not be blocked in the filter-aaaa ACL (this defaults to any, so is not generally the case)

If AAAA filtering is active for a given transport, and a query for type AAAA or ANY is received via that transport, then AAAA records will be omitted from the response, UNLESS the response is DNSSEC-signed.

If filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec instead of yes, then AAAA records will be omitted even if they are signed. RRSIG records covering type AAAA will be omitted as well.