filter-aaaa-on-v4 does not filter AAAA if there is no existing A Record with the same FQDN - working as designed?

Tue, 24 Jan 2017 03:54:38 -0800 

Hi all,
 
I am not sure if the following behavior is working as designed or not.
I have configured filter-aaaa-on-v4 to yes on my DNS Server.

Regarding this filter option, I have a working and a non working example:

Working example (AAAA was filtered):

# dig www.google.com. AAAA +noall +answer +comments
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2 <<>> www.google.com. AAAA 
+noall +answer +comments
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26914
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


Non working example (AAAA was NOT filtered!):

# dig ipv6.msftconnecttest.com AAAA +noall +answer +comments
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2 <<>> ipv6.msftconnecttest.com 
AAAA +noall +answer +comments
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44238
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 0
;; ANSWER SECTION:
ipv6.msftconnecttest.com. 900   IN      CNAME   v6ncsi.msedge.net.
v6ncsi.msedge.net.      60      IN      CNAME   ncsi.6-c-0003.c-msedge.net.
ncsi.6-c-0003.c-msedge.net. 60  IN      CNAME   6-c-0003.c-msedge.net.
6-c-0003.c-msedge.net.  60      IN      AAAA    2a01:111:2003::52


As you can see in the second query the AAAA record was not filtered out of the 
response!


As a remark of the examples above:
- for www.google.com. there is an existing A-Record.
- for ipv6.msftconnecttest.com there is NO existing A-Record (AAAA only).


There also additional AAAA only Records with the same behavior where the AAAA 
records will not filtered out as well:
ipv6.google.com
loopsofzen.co.uk
ipv6.cybernode.com
v6.vvv.facebook.com

Question:
is this working as designed or not? if yes, for which reasons?
I expected that this filter will filter every AAAA record. I don't see any 
reason why this should work partialy.
Our goal is that no DNS Client should receive AAAA records, because there is no 
IPv6 connectivity from local network to the internet at all.  

Any advice would be helpful.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to