man.filter-aaaa.html 6.45 KB
Newer Older
1 2
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
4 5 6 7 8 9 10 11 12
 - 
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>filter-aaaa.so</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
<link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
<link rel="next" href="man.host.html" title="host">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">filter-aaaa.so</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry">
<a name="man.filter-aaaa"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39
  
  
  

  <div class="refnamediv">
40
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
41 42 43 44
<p>
    <span class="application">filter-aaaa.so</span>
     &#8212; filter AAAA in DNS responses when A is present
  </p>
45
</div>
Tinderbox User's avatar
Tinderbox User committed
46 47 48 49

  

  <div class="refsynopsisdiv">
50
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
51 52 53
    <div class="cmdsynopsis"><p>
      <code class="command">plugin query "filter-aaaa.so"</code> 
       [<em class="replaceable"><code>{ parameters }</code></em>];
54
    </p></div>
Tinderbox User's avatar
Tinderbox User committed
55 56 57
  </div>

  <div class="refsection">
58
<a name="id-1.13.19.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
59 60
    <p>
      <span class="command"><strong>filter-aaaa.so</strong></span> is a query plugin module for
61 62 63
      <span class="command"><strong>named</strong></span>, enabling <span class="command"><strong>named</strong></span>
      to omit some IPv6 addresses when responding to clients.
    </p>
Tinderbox User's avatar
Tinderbox User committed
64 65
    <p>
      Until BIND 9.12, this feature was implemented natively in
66 67 68 69 70 71
      <span class="command"><strong>named</strong></span> and enabled with the
      <span class="command"><strong>filter-aaaa</strong></span> ACL and the
      <span class="command"><strong>filter-aaaa-on-v4</strong></span> and
      <span class="command"><strong>filter-aaaa-on-v6</strong></span> options. These options are
      now deprecated in <code class="filename">named.conf</code>, but can be
      passed as parameters to the <span class="command"><strong>filter-aaaa.so</strong></span>
Tinderbox User's avatar
Tinderbox User committed
72
      plugin, for example:
73
    </p>
Tinderbox User's avatar
Tinderbox User committed
74 75
    <pre class="programlisting">
plugin query "/usr/local/lib/filter-aaaa.so" {
76 77 78 79 80
        filter-aaaa-on-v4 yes;
        filter-aaaa-on-v6 yes;
        filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
};
</pre>
Tinderbox User's avatar
Tinderbox User committed
81
    <p>
82 83 84 85 86 87
      This module is intended to aid transition from IPv4 to IPv6 by
      withholding IPv6 addresses from DNS clients which are not connected
      to the IPv6 Internet, when the name being looked up has an IPv4
      address available.  Use of this module is not recommended unless
      absolutely necessary.
    </p>
Tinderbox User's avatar
Tinderbox User committed
88
    <p>
89 90 91 92 93 94
      Note: This mechanism can erroneously cause other servers not to
      give AAAA records to their clients.  If a recursing server with
      both IPv6 and IPv4 network connections queries an authoritative
      server using this mechanism via IPv4, it will be denied AAAA
      records even if its client is using IPv6.
    </p>
Tinderbox User's avatar
Tinderbox User committed
95 96 97
  </div>

  <div class="refsection">
98
<a name="id-1.13.19.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
99
    <div class="variablelist"><dl class="variablelist">
100
<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
101 102
<dd>
	  <p>
103 104 105
	    Specifies a list of client addresses for which AAAA
	    filtering is to be applied.  The default is
	    <strong class="userinput"><code>any</code></strong>.
Tinderbox User's avatar
Tinderbox User committed
106 107
	  </p>
	</dd>
108 109
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
110
	  <p>
111 112 113 114 115 116 117
	    If set to <strong class="userinput"><code>yes</code></strong>, the DNS client is
	    at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
	    and if the response does not include DNSSEC signatures,
	    then all AAAA records are deleted from the response.
	    This filtering applies to all responses and not only
	    authoritative responses.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
118
	  <p>
119 120 121 122 123 124
	    If set to <strong class="userinput"><code>break-dnssec</code></strong>,
	    then AAAA records are deleted even when DNSSEC is
	    enabled.  As suggested by the name, this causes the
	    response to fail to verify, because the DNSSEC protocol is
	    designed to detect deletions.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
125
	  <p>
126 127 128 129 130 131
	    This mechanism can erroneously cause other servers not to
	    give AAAA records to their clients.  A recursing server with
	    both IPv6 and IPv4 network connections that queries an
	    authoritative server using this mechanism via IPv4 will be
	    denied AAAA records even if its client is using IPv6.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
132
	</dd>
133
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
134 135
<dd>
	  <p>
136 137 138 139
	    Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
	    except it filters AAAA responses to queries from IPv6
	    clients instead of IPv4 clients.  To filter all
	    responses, set both options to <strong class="userinput"><code>yes</code></strong>.
Tinderbox User's avatar
Tinderbox User committed
140 141
	  </p>
	</dd>
142
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
143 144 145
  </div>

  <div class="refsection">
146
<a name="id-1.13.19.9"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
147
    <p>
148 149
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
150 151
  </div>

152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnstap-read</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> host</td>
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
171
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
172 173
</body>
</html>