bind/doc/man/filter-a.8in

.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "FILTER-A" "8" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
filter-a \- filter A in DNS responses when AAAA is present
.SH SYNOPSIS
.sp
\fBplugin query\fP "filter\-a.so" [{ parameters }];
.SH DESCRIPTION
.sp
\fBfilter\-a.so\fP is a query plugin module for \fI\%named\fP, enabling
\fI\%named\fP to omit some IPv4 addresses when responding to clients.
.sp
For example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
plugin query "filter\-a.so" {
        filter\-a\-on\-v6 yes;
        filter\-a\-on\-v4 yes;
        filter\-a { 192.0.2.1; 2001:db8:2::1; };
};
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
This module is intended to aid transition from IPv4 to IPv6 by
withholding IPv4 addresses from DNS clients which are not connected to
the IPv4 Internet, when the name being looked up has an IPv6 address
available. Use of this module is not recommended unless absolutely
necessary.
.sp
Note: This mechanism can erroneously cause other servers not to give
A records to their clients. If a recursing server with both IPv6 and
IPv4 network connections queries an authoritative server using this
mechanism via IPv6, it is denied A records even if its client is
using IPv4.
.SH OPTIONS
.INDENT 0.0
.TP
.B \fBfilter\-a\fP
This option specifies a list of client addresses for which A filtering is to
be applied. The default is \fBany\fP\&.
.TP
.B \fBfilter\-a\-on\-v6\fP
If set to \fByes\fP, this option indicates that the DNS client is at an IPv6 address, in
\fBfilter\-a\fP\&. If the response does not include DNSSEC
signatures, then all A records are deleted from the response. This
filtering applies to all responses, not only authoritative
ones.
.sp
If set to \fBbreak\-dnssec\fP, then A records are deleted even when
DNSSEC is enabled. As suggested by the name, this causes the response
to fail to verify, because the DNSSEC protocol is designed to detect
deletions.
.sp
This mechanism can erroneously cause other servers not to give A
records to their clients. If a recursing server with both IPv6 and IPv4
network connections queries an authoritative server using this
mechanism via IPv6, it is denied A records even if its client is
using IPv4.
.TP
.B \fBfilter\-a\-on\-v4\fP
This option is identical to \fBfilter\-a\-on\-v6\fP, except that it filters A responses
to queries from IPv4 clients instead of IPv6 clients. To filter all
responses, set both options to \fByes\fP\&.
.UNINDENT
.SH SEE ALSO
.sp
BIND 9 Administrator Reference Manual.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2022, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.