[dns-operations] Can you force your IPv4/v6 DNS server to return v4 responses only on recursive lookups

Phil Pennock dnsop+phil at spodhuis.org
Tue Jan 15 22:54:59 UTC 2013

On 2013-01-15 at 15:11 -0500, McGhee, Karen (Evolver) wrote:
> I should have said, the name server is BIND 9.8 running on RHEL5.5.

There's a configure-time option to bind9, `--enable-filter-aaaa`.  _If_
it was given, then:

options {
  filter-aaaa-on-v4 yes;

That won't filter AAAA if DNSSEC records are present; use `break-dnssec`
instead of `yes` if you _really_ want to drop all AAAA records.

I'm assuming you know how connectivity to resolver != connectivity to
end-sites and you're instead just using this as a crude filter for
systems behind middleware that will break _all_ IPv6, and are telling
customers to configure their auth DNS servers via IPv6 address if they
want to be able to reach IPv6-only sites, and if the customers are
internal, you're providing a way for them to modify the DHCP assignment
they'll get, to manage this.

And that you have a transition plan to get the non-IPv6 customers fixed
before DNSSEC rolls out to enough sites that validating forwarding
resolvers run by your customers won't break for the IPv4-only customers
(which might, of itself, be a crude hammer to encourage fixes).


More information about the dns-operations mailing list