[dns-operations] Can you force your IPv4/v6 DNS server to return v4 responses only on recursive lookups

[Patrick, Robert (CONTR)]

We need an option like this `break-dnssec` feature to use RPZ for stopping user access to DNSSEC-signed domains that are on a block list.


-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Phil Pennock
Sent: Tuesday, January 15, 2013 5:55 PM
To: McGhee, Karen (Evolver)
Cc: DNS Operations
Subject: Re: [dns-operations] Can you force your IPv4/v6 DNS server to return v4 responses only on recursive lookups

On 2013-01-15 at 15:11 -0500, McGhee, Karen (Evolver) wrote:
> I should have said, the name server is BIND 9.8 running on RHEL5.5.

There's a configure-time option to bind9, `--enable-filter-aaaa`.  _If_
it was given, then:

options {
  filter-aaaa-on-v4 yes;
};

That won't filter AAAA if DNSSEC records are present; use `break-dnssec`
instead of `yes` if you _really_ want to drop all AAAA records.

I'm assuming you know how connectivity to resolver != connectivity to
end-sites and you're instead just using this as a crude filter for
systems behind middleware that will break _all_ IPv6, and are telling
customers to configure their auth DNS servers via IPv6 address if they
want to be able to reach IPv6-only sites, and if the customers are
internal, you're providing a way for them to modify the DHCP assignment
they'll get, to manage this.

And that you have a transition plan to get the non-IPv6 customers fixed
before DNSSEC rolls out to enough sites that validating forwarding
resolvers run by your customers won't break for the IPv4-only customers
(which might, of itself, be a crude hammer to encourage fixes).

-Phil