When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions. This filtering does not affect the recursive queries made by the server (if any) as a result of the client request.
To use this filtering, the following conditions must be met:
- BIND 9 must be compiled with a special build-time option (
./configure --enable-filter-aaaa), and
- an options statement to enable it (for example,
filter-aaaa-on-v6 yes;) must be declared in
- the client must not be blocked in the
filter-aaaaACL (this defaults to
any, so is not generally the case)
If AAAA filtering is active for a given transport, and a query for type AAAA or ANY is received via that transport, then AAAA records will be omitted from the response, UNLESS the response is DNSSEC-signed.
filter-aaaa-on-v6 is set to
break-dnssec instead of
yes, then AAAA records will be omitted even if they are signed. RRSIG records covering type AAAA will be omitted as well.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.