manpagez: man pages & more
man filter-a(8)
Home | html | info | man
filter-a(8)                         BIND 9                         filter-a(8)


NAME

       filter-a - filter A in DNS responses when AAAA is present


SYNOPSIS

       plugin query "filter-a.so" [{ parameters }];


DESCRIPTION

       filter-a.so is a query plugin module for named, enabling named to omit
       some IPv4 addresses when responding to clients.

       For example:

          plugin query "filter-a.so" {
                  filter-a-on-v6 yes;
                  filter-a-on-v4 yes;
                  filter-a { 192.0.2.1; 2001:db8:2::1; };
          };

       This module is intended to aid transition from IPv4 to IPv6 by
       withholding IPv4 addresses from DNS clients which are not connected to
       the IPv4 Internet, when the name being looked up has an IPv6 address
       available. Use of this module is not recommended unless absolutely
       necessary.

       Note: This mechanism can erroneously cause other servers not to give A
       records to their clients. If a recursing server with both IPv6 and IPv4
       network connections queries an authoritative server using this
       mechanism via IPv6, it is denied A records even if its client is using
       IPv4.


OPTIONS


       filter-a
              This option specifies a list of client addresses for which A
              filtering is to be applied. The default is any.

       filter-a-on-v6
              If set to yes, this option indicates that the DNS client is at
              an IPv6 address, in filter-a. If the response does not include
              DNSSEC signatures, then all A records are deleted from the
              response. This filtering applies to all responses, not only
              authoritative ones.

              If set to break-dnssec, then A records are deleted even when
              DNSSEC is enabled. As suggested by the name, this causes the
              response to fail to verify, because the DNSSEC protocol is
              designed to detect deletions.

              This mechanism can erroneously cause other servers not to give A
              records to their clients. If a recursing server with both IPv6
              and IPv4 network connections queries an authoritative server
              using this mechanism via IPv6, it is denied A records even if
              its client is using IPv4.

       filter-a-on-v4
              This option is identical to filter-a-on-v6, except that it
              filters A responses to queries from IPv4 clients instead of IPv6
              clients. To filter all responses, set both options to yes.


SEE ALSO

       BIND 9 Administrator Reference Manual.


AUTHOR

       Internet Systems Consortium


COPYRIGHT

       2024, Internet Systems Consortium

9.20.3                            2024-10-07                       filter-a(8)

bind 9.20.3 - Generated Thu Oct 17 10:54:20 CDT 2024
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.