Thursday, September 29, 2011

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views.

The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows:

  • filter-aaaa-on-v4 (yes | no | break-dnssec) ;
  • filter-aaaa {addr_match_list;} ;

The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described next. Multiple filter-aaaa options may be defined. The default is any.

If the filter-aaaa-on-v4 option is set to yes, AAAA records are filtered out of (not included in) the response if the client falls within the filter-aaaa address match list and no DNSSEC signatures are included. If set to no, such filtering is not performed and AAAA records are returned. If set to break-dnssec, the AAAA records are filtered out even if DNSSEC signatures exist.

The filter-aaaa pair of options provides control at the DNS level to control distribution of AAAA responses; just remember to remove (unfilter) corresponding address match lists as you deploy IPv6 and enable IPv6 access!

No comments:

Post a Comment