We need an option like this `break-dnssec` feature to use RPZ for stopping user access to DNSSEC-signed domains that are on a block list.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Phil Pennock Sent: Tuesday, January 15, 2013 5:55 PM To: McGhee, Karen (Evolver) Cc: DNS Operations Subject: Re: [dns-operations] Can you force your IPv4/v6 DNS server to return v4 responses only on recursive lookups On 2013-01-15 at 15:11 -0500, McGhee, Karen (Evolver) wrote: > I should have said, the name server is BIND 9.8 running on RHEL5.5. There's a configure-time option to bind9, `--enable-filter-aaaa`. _If_ it was given, then: options { filter-aaaa-on-v4 yes; }; That won't filter AAAA if DNSSEC records are present; use `break-dnssec` instead of `yes` if you _really_ want to drop all AAAA records. I'm assuming you know how connectivity to resolver != connectivity to end-sites and you're instead just using this as a crude filter for systems behind middleware that will break _all_ IPv6, and are telling customers to configure their auth DNS servers via IPv6 address if they want to be able to reach IPv6-only sites, and if the customers are internal, you're providing a way for them to modify the DHCP assignment they'll get, to manage this. And that you have a transition plan to get the non-IPv6 customers fixed before DNSSEC rolls out to enough sites that validating forwarding resolvers run by your customers won't break for the IPv4-only customers (which might, of itself, be a crude hammer to encourage fixes). -Phil _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
