Skip to content

GitLab

Commit 5bd85525 authored by Tinderbox User's avatar Tinderbox User
Browse files

prep 9.13.5

parent cbde34e7
Hide whitespace changes
Inline Side-by-side
Showing with 213 additions and 142 deletions
CHANGES
View file @ 5bd85525
--- 9.13.5 released ---
5108. [bug] Named could fail to determine bottom of zone when
removing out of date keys leading to invalid NSEC
and NSEC3 records being added to the zone. [GL #771]
......
README
View file @ 5bd85525
......@@ -104,6 +104,10 @@ BIND 9.13 features
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
......
README.md
View file @ 5bd85525
......@@ -122,6 +122,9 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features
include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
......
bin/check/named-checkconf.8
View file @ 5bd85525
......@@ -39,7 +39,7 @@
named-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkconf\fR\ 'u
\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
......@@ -79,6 +79,13 @@ When loading a zonefile read the journal if it exists\&.
List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
.RE
.PP
\-c
.RS 4
Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
\fBplugin\fR
statements to be ignored\&.
.RE
.PP
\-p
.RS 4
Print out the
......
bin/check/named-checkconf.html
View file @ 5bd85525
......@@ -33,7 +33,7 @@
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[<code class="option">-hjlvz</code>]
[<code class="option">-chjlvz</code>]
[<code class="option">-p</code>
[<code class="option">-x</code>
]]
......@@ -88,6 +88,14 @@
(e.g. master or slave).
</p>
</dd>
<dt><span class="term">-c</span></dt>
<dd>
<p>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
......
bin/dnssec/dnssec-keygen.8
View file @ 5bd85525
......@@ -327,21 +327,21 @@ and
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
To generate a 768\-bit DSA key for the domain
To generate an ECDSAP256SHA256 key for the domain
\fBexample\&.com\fR, the following command would be issued:
.PP
\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
.PP
The command would print a string of the form:
.PP
\fBKexample\&.com\&.+003+26160\fR
\fBKexample\&.com\&.+013+26160\fR
.PP
In this example,
\fBdnssec\-keygen\fR
creates the files
Kexample\&.com\&.+003+26160\&.key
Kexample\&.com\&.+013+26160\&.key
and
Kexample\&.com\&.+003+26160\&.private\&.
Kexample\&.com\&.+013+26160\&.private\&.
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
......
bin/dnssec/dnssec-keygen.html
View file @ 5bd85525
......@@ -498,22 +498,22 @@
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
To generate an ECDSAP256SHA256 key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
<p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
<p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
</p>
<p>
In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
the files <code class="filename">Kexample.com.+013+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
</div>
......
bin/dnssec/dnssec-signzone.8
View file @ 5bd85525
......@@ -415,9 +415,9 @@ Specify which keys should be used to sign the zone\&. If no keys are specified,
.PP
The following command signs the
\fBexample\&.com\fR
zone with the DSA key generated by
zone with the ECDSAP256SHA256 key generated by key generated by
\fBdnssec\-keygen\fR
(Kexample\&.com\&.+003+17247)\&. Because the
(Kexample\&.com\&.+013+17247)\&. Because the
\fB\-S\fR
option is not being used, the zone\*(Aqs keys must be in the master file (db\&.example\&.com)\&. This invocation looks for
dsset
......@@ -428,7 +428,7 @@ files, in the current directory, so that DS records can be imported from them (\
.\}
.nf
% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \e
Kexample\&.com\&.+003+17247
Kexample\&.com\&.+013+17247
db\&.example\&.com\&.signed
%
.fi
......
bin/dnssec/dnssec-signzone.html
View file @ 5bd85525
......@@ -624,15 +624,16 @@
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
(Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option
is not being used, the zone's keys must be in the master file
zone with the ECDSAP256SHA256 key generated by key generated by
<span class="command"><strong>dnssec-keygen</strong></span> (Kexample.com.+013+17247).
Because the <span class="command"><strong>-S</strong></span> option is not being used,
the zone's keys must be in the master file
(<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">dsset</code> files, in the current directory,
so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
Kexample.com.+013+17247
db.example.com.signed
%</pre>
<p>
......
bin/plugins/filter-aaaa.8
View file @ 5bd85525
......@@ -9,7 +9,7 @@
'\" t
.\" Title: filter-aaaa.so
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2018-08-13
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,12 +38,12 @@
.SH "NAME"
filter-aaaa.so \- filter AAAA in DNS responses when A is present
.SH "SYNOPSIS"
.HP 28
\fBhook query "filter\-aaaa\&.so"\fR [\fI{\ parameters\ }\fR];
.HP \w'\fBplugin\ query\ "filter\-aaaa\&.so"\fR\ 'u
\fBplugin query "filter\-aaaa\&.so"\fR [\fI{\ parameters\ }\fR];
.SH "DESCRIPTION"
.PP
\fBfilter\-aaaa\&.so\fR
is a query hook module for
is a query plugin module for
\fBnamed\fR, enabling
\fBnamed\fR
to omit some IPv6 addresses when responding to clients\&.
......@@ -59,13 +59,13 @@ and
options\&. These options are now deprecated in
named\&.conf, but can be passed as parameters to the
\fBfilter\-aaaa\&.so\fR
hook module, for example:
plugin, for example:
.sp
.if n \{\
.RS 4
.\}
.nf
hook query "/usr/local/lib/filter\-aaaa\&.so" {
plugin query "/usr/local/lib/filter\-aaaa\&.so" {
filter\-aaaa\-on\-v4 yes;
filter\-aaaa\-on\-v6 yes;
filter\-aaaa { 192\&.0\&.2\&.1; 2001:db8:2::1; };
......
bin/plugins/filter-aaaa.c
View file @ 5bd85525
......@@ -460,7 +460,7 @@ plugin_destroy(void **instp) {
}
/*
* Returns hook module API version for compatibility checks.
* Returns plugin API version for compatibility checks.
*/
int
plugin_version(void) {
......
bin/plugins/filter-aaaa.html
View file @ 5bd85525
......@@ -10,27 +10,40 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>filter-aaaa.so</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.filter-aaaa"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">filter-aaaa.so</span> &#8212; filter AAAA in DNS responses when A is present</p>
<p>
<span class="application">filter-aaaa.so</span>
&#8212; filter AAAA in DNS responses when A is present
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">hook query "filter-aaaa.so"</code> [<em class="replaceable"><code>{ parameters }</code></em>];
<div class="cmdsynopsis"><p>
<code class="command">plugin query "filter-aaaa.so"</code>
[<em class="replaceable"><code>{ parameters }</code></em>];
</p></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>filter-aaaa.so</strong></span> is a query hook module for
<p>
<span class="command"><strong>filter-aaaa.so</strong></span> is a query plugin module for
<span class="command"><strong>named</strong></span>, enabling <span class="command"><strong>named</strong></span>
to omit some IPv6 addresses when responding to clients.
</p>
<p>
<p>
Until BIND 9.12, this feature was implemented natively in
<span class="command"><strong>named</strong></span> and enabled with the
<span class="command"><strong>filter-aaaa</strong></span> ACL and the
......@@ -38,42 +51,45 @@
<span class="command"><strong>filter-aaaa-on-v6</strong></span> options. These options are
now deprecated in <code class="filename">named.conf</code>, but can be
passed as parameters to the <span class="command"><strong>filter-aaaa.so</strong></span>
hook module, for example:
plugin, for example:
</p>
<pre class="programlisting">
hook query "/usr/local/lib/filter-aaaa.so" {
<pre class="programlisting">
plugin query "/usr/local/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa-on-v6 yes;
filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
};
</pre>
<p>
<p>
This module is intended to aid transition from IPv4 to IPv6 by
withholding IPv6 addresses from DNS clients which are not connected
to the IPv6 Internet, when the name being looked up has an IPv4
address available. Use of this module is not recommended unless
absolutely necessary.
</p>
<p>
<p>
Note: This mechanism can erroneously cause other servers not to
give AAAA records to their clients. If a recursing server with
both IPv6 and IPv4 network connections queries an authoritative
server using this mechanism via IPv4, it will be denied AAAA
records even if its client is using IPv6.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
<dd><p>
<dd>
<p>
Specifies a list of client addresses for which AAAA
filtering is to be applied. The default is
<strong class="userinput"><code>any</code></strong>.
</p></dd>
</p>
</dd>
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
<dd>
<p>
<p>
If set to <strong class="userinput"><code>yes</code></strong>, the DNS client is
at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
and if the response does not include DNSSEC signatures,
......@@ -81,35 +97,39 @@ hook query "/usr/local/lib/filter-aaaa.so" {
This filtering applies to all responses and not only
authoritative responses.
</p>
<p>
<p>
If set to <strong class="userinput"><code>break-dnssec</code></strong>,
then AAAA records are deleted even when DNSSEC is
enabled. As suggested by the name, this causes the
response to fail to verify, because the DNSSEC protocol is
designed to detect deletions.
</p>
<p>
<p>
This mechanism can erroneously cause other servers not to
give AAAA records to their clients. A recursing server with
both IPv6 and IPv4 network connections that queries an
authoritative server using this mechanism via IPv4 will be
denied AAAA records even if its client is using IPv6.
</p>
</dd>
</dd>
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
<dd><p>
<dd>
<p>
Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
except it filters AAAA responses to queries from IPv6
clients instead of IPv4 clients. To filter all
responses, set both options to <strong class="userinput"><code>yes</code></strong>.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
</div></body>
</html>
configure
View file @ 5bd85525
......@@ -842,7 +842,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
......@@ -1002,7 +1001,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
......@@ -1255,15 +1253,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
 
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
......@@ -1401,7 +1390,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
......@@ -1554,7 +1543,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
......
doc/arm/Bv9ARM.ch01.html
View file @ 5bd85525
......@@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
</body>
</html>
doc/arm/Bv9ARM.ch02.html
View file @ 5bd85525
......@@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
</body>
</html>
doc/arm/Bv9ARM.ch03.html
View file @ 5bd85525
......@@ -47,6 +47,11 @@
<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch03.html#module-info">Plugins</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.5">Configuring Plugins</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.6">Developing Plugins</a></span></dt>
</dl></dd>
</dl>
</div>
......@@ -741,6 +746,105 @@ controls {
</div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="module-info"></a>Plugins</h2></div></div></div>
<p>
Plugins are a mechanism to extend the functionality of
<span class="command"><strong>named</strong></span> using dynamically loadable libraries.
By using plugins, core server functionality can be kept simple
for the majority of users; more complex code implementing optional
features need only be installed by users that need those features.
</p>
<p>
The plugin interface is a work in progress, and is expected to evolve
as more plugins are added. Currently, only "query plugins" are supported;
these modify the name server query logic. Other plugin types may be added
in the future.
</p>
<p>
The only plugin currently included in BIND is
<code class="filename">filter-aaaa.so</code>, which replaces the
<span class="command"><strong>filter-aaaa</strong></span> feature that previously existed natively
as part of <span class="command"><strong>named</strong></span>.
The code for this feature has been removed from <span class="command"><strong>named</strong></span>,
and can no longer be configured using standard
<code class="filename">named.conf</code> syntax, but linking in the
<code class="filename">filter-aaaa.so</code> plugin provides identical
functionality.
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.4.6.5"></a>Configuring Plugins</h3></div></div></div>
<p>
A plugin is configured with the <span class="command"><strong>plugin</strong></span>
statement in <code class="filename">named.conf</code>:
</p>
<pre class="screen">
plugin query "library.so" {
<em class="replaceable"><code>parameters</code></em>
};
</pre>
<p>
In this example, file <code class="filename">library.so</code> is the plugin
library. <code class="literal">query</code> indicates that this is a query
plugin.
</p>
<p>
</p>
<p>
Multiple <span class="command"><strong>plugin</strong></span> statements can be specified, to load
different plugins or multiple instances of the same plugin.
</p>
<p>
<em class="replaceable"><code>parameters</code></em> are passed as an opaque
string to the plugin's initialization routine. Configuration
syntax will differ depending on the module.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.4.6.6"></a>Developing Plugins</h3></div></div></div>
<p>
Each plugin implements four functions:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<span class="command"><strong>plugin_register</strong></span> to allocate memory,
configure a plugin instance, and attach to hook points within
<span class="command"><strong>named</strong></span>,</li>
<li class="listitem">
<span class="command"><strong>plugin_destroy</strong></span> to tear down the plugin
instance and free memory,</li>
<li class="listitem">
<span class="command"><strong>plugin_version</strong></span> to check that the plugin
is compatible with the current version of the plugin API,</li>
<li class="listitem">
<span class="command"><strong>plugin_check</strong></span> to test syntactic
correctness of the plugin parameters.</li>
</ul></div>
<p>
</p>
<p>
At various locations within the <span class="command"><strong>named</strong></span> source code,
there are "hook points" at which a plugin may register itself.
When a hook point is reached while <span class="command"><strong>named</strong></span> is
running, it is checked to see whether any plugins have registered
themselves there; if so, the associated "hook action" is called -
this is a function within the plugin library. Hook actions may
examine the runtime state and make changes - for example, modifying
the answers to be sent back to a client or forcing a query to be
aborted. More details can be found in the file
<code class="filename">lib/ns/include/ns/hooks.h</code>.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
......@@ -759,6 +863,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
</body>
</html>
doc/arm/Bv9ARM.ch04.html
View file @ 5bd85525
......@@ -2868,6 +2868,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
</body>
</html>
doc/arm/Bv9ARM.ch05.html
View file @ 5bd85525
......@@ -4626,63 +4626,6 @@ options {
internally. The use of this option is discouraged.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
<dd>
<p>
This option is intended to help the
transition from IPv4 to IPv6 by not giving IPv6 addresses
to DNS clients unless they have connections to the IPv6
Internet. This is not recommended unless absolutely
necessary. The default is <strong class="userinput"><code>no</code></strong>.
The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option
may also be specified in <span class="command"><strong>view</strong></span> statements
to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
option.
</p>
<p>
If <strong class="userinput"><code>yes</code></strong>,
the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
authoritative responses.
</p>
<p>
If <strong class="userinput"><code>break-dnssec</code></strong>,
then AAAA records are deleted even when DNSSEC is enabled.
As suggested by the name, this makes the response not verify,
because the DNSSEC protocol is designed detect deletions.
</p>
<p>
This mechanism can erroneously cause other servers to
not give AAAA records to their clients.
A recursing server with both IPv6 and IPv4 network connections
that queries an authoritative server using this mechanism
via IPv4 will be denied AAAA records even if its client is
using IPv6.
</p>
<p>
This mechanism is applied to authoritative as well as
non-authoritative records.
A client using IPv4 that is not allowed recursion can
erroneously be given AAAA records because the server is not
allowed to check for A records.
</p>
<p>
Some AAAA records are given to IPv4 clients in glue records.
IPv4 clients that are servers can then erroneously