diff options
Diffstat (limited to 'doc/man/filter-aaaa.8in')
| -rw-r--r-- | doc/man/filter-aaaa.8in | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/doc/man/filter-aaaa.8in b/doc/man/filter-aaaa.8in new file mode 100644 index 0000000..ad6269a --- /dev/null +++ b/doc/man/filter-aaaa.8in @@ -0,0 +1,110 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "FILTER-AAAA" "8" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" +.SH NAME +filter-aaaa \- filter AAAA in DNS responses when A is present +.SH SYNOPSIS +.sp +\fBplugin query\fP \(dqfilter\-aaaa.so\(dq [{ parameters }]; +.SH DESCRIPTION +.sp +\fBfilter\-aaaa.so\fP is a query plugin module for \fI\%named\fP, enabling +\fI\%named\fP to omit some IPv6 addresses when responding to clients. +.sp +Until BIND 9.12, this feature was implemented natively in \fI\%named\fP and +enabled with the \fBfilter\-aaaa\fP ACL and the \fBfilter\-aaaa\-on\-v4\fP and +\fBfilter\-aaaa\-on\-v6\fP options. These options are now deprecated in +\fI\%named.conf\fP but can be passed as parameters to the +\fBfilter\-aaaa.so\fP plugin, for example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +plugin query \(dqfilter\-aaaa.so\(dq { + filter\-aaaa\-on\-v4 yes; + filter\-aaaa\-on\-v6 yes; + filter\-aaaa { 192.0.2.1; 2001:db8:2::1; }; +}; +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This module is intended to aid transition from IPv4 to IPv6 by +withholding IPv6 addresses from DNS clients which are not connected to +the IPv6 Internet, when the name being looked up has an IPv4 address +available. Use of this module is not recommended unless absolutely +necessary. +.sp +Note: This mechanism can erroneously cause other servers not to give +AAAA records to their clients. If a recursing server with both IPv6 and +IPv4 network connections queries an authoritative server using this +mechanism via IPv4, it is denied AAAA records even if its client is +using IPv6. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fBfilter\-aaaa\fP +This option specifies a list of client addresses for which AAAA filtering is to +be applied. The default is \fBany\fP\&. +.TP +.B \fBfilter\-aaaa\-on\-v4\fP +If set to \fByes\fP, this option indicates that the DNS client is at an IPv4 address, in +\fBfilter\-aaaa\fP\&. If the response does not include DNSSEC +signatures, then all AAAA records are deleted from the response. This +filtering applies to all responses, not only authoritative +ones. +.sp +If set to \fBbreak\-dnssec\fP, then AAAA records are deleted even when +DNSSEC is enabled. As suggested by the name, this causes the response +to fail to verify, because the DNSSEC protocol is designed to detect +deletions. +.sp +This mechanism can erroneously cause other servers not to give AAAA +records to their clients. If a recursing server with both IPv6 and IPv4 +network connections queries an authoritative server using this +mechanism via IPv4, it is denied AAAA records even if its client is +using IPv6. +.TP +.B \fBfilter\-aaaa\-on\-v6\fP +This option is identical to \fBfilter\-aaaa\-on\-v4\fP, except that it filters AAAA responses +to queries from IPv6 clients instead of IPv4 clients. To filter all +responses, set both options to \fByes\fP\&. +.UNINDENT +.SH SEE ALSO +.sp +BIND 9 Administrator Reference Manual. +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |