filter-aaaa plugin should mark replies it modified
Description
Some network administrators choose to filter out AAAA queries on their legacy-only IPv4 networks. I do not think this is the best approach, but it should be possible to identify when a response were modified by filter-AAAA (or filter-A) query plugin.
I think the primary change should be in end devices to not ask unnecessary queries, not server blocking them. But it seems the only supported way in case AAAA queries generates costly traffic. No alternative system-wide way to reduce unnecessary queries does not seem to be supported.
Request
I think Extended DNS Codes are ideal for small notice this not original response forwarded, but something created locally. But current plugins to not use any authority section nor EDE codes. Unless I can validate the response via DNSSEC, I have no way to say whether the address does not exist. Or just the network provider does not want me to try connecting there or just forward AAAA queries.
Unless the administrator wants to hide his change, I think named should mark synthetized empty response by indication this is not a reply from authoritative server itself. I haven't found a good matching EDE code for this use case in RFC 8914 or its registry. Should a new one for be allocated?
It seems to be very similar to overriding responses by RPZ rules.
# dig example.org @localhost aaaa
; <<>> DiG 9.16.23-RH <<>> example.org @localhost aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31531
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: fc6601cf1f17184a010000006425996e453f0431ac31b8e4 (good)
;; QUESTION SECTION:
;example.org. IN AAAA
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 30 10:15:10 EDT 2023
;; MSG SIZE rcvd: 68
Links / references
- Proposal to limit sent queries from clients - https://bugzilla.redhat.com/show_bug.cgi?id=2182745