1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. highlight: console 13 14.. iscman:: filter-a 15.. _man_filter-a: 16 17filter-a.so - filter A in DNS responses when AAAA is present 18--------------------------------------------------------------- 19 20Synopsis 21~~~~~~~~ 22 23:program:`plugin query` "filter-a.so" [{ parameters }]; 24 25Description 26~~~~~~~~~~~ 27 28:program:`filter-a.so` is a query plugin module for :iscman:`named`, enabling 29:iscman:`named` to omit some IPv4 addresses when responding to clients. 30 31For example: 32 33:: 34 35 plugin query "filter-a.so" { 36 filter-a-on-v6 yes; 37 filter-a-on-v4 yes; 38 filter-a { 192.0.2.1; 2001:db8:2::1; }; 39 }; 40 41This module is intended to aid transition from IPv4 to IPv6 by 42withholding IPv4 addresses from DNS clients which are not connected to 43the IPv4 Internet, when the name being looked up has an IPv6 address 44available. Use of this module is not recommended unless absolutely 45necessary. 46 47Note: This mechanism can erroneously cause other servers not to give 48A records to their clients. If a recursing server with both IPv6 and 49IPv4 network connections queries an authoritative server using this 50mechanism via IPv6, it is denied A records even if its client is 51using IPv4. 52 53Options 54~~~~~~~ 55 56``filter-a`` 57 This option specifies a list of client addresses for which A filtering is to 58 be applied. The default is ``any``. 59 60``filter-a-on-v6`` 61 If set to ``yes``, this option indicates that the DNS client is at an IPv6 address, in 62 ``filter-a``. If the response does not include DNSSEC 63 signatures, then all A records are deleted from the response. This 64 filtering applies to all responses, not only authoritative 65 ones. 66 67 If set to ``break-dnssec``, then A records are deleted even when 68 DNSSEC is enabled. As suggested by the name, this causes the response 69 to fail to verify, because the DNSSEC protocol is designed to detect 70 deletions. 71 72 This mechanism can erroneously cause other servers not to give A 73 records to their clients. If a recursing server with both IPv6 and IPv4 74 network connections queries an authoritative server using this 75 mechanism via IPv6, it is denied A records even if its client is 76 using IPv4. 77 78``filter-a-on-v4`` 79 This option is identical to ``filter-a-on-v6``, except that it filters A responses 80 to queries from IPv4 clients instead of IPv6 clients. To filter all 81 responses, set both options to ``yes``. 82 83See Also 84~~~~~~~~ 85 86BIND 9 Administrator Reference Manual. 87