diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a17e..8e55b450dc 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -12,7 +12,7 @@ VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ hooks tests
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/bin/hooks/Makefile.in b/bin/hooks/Makefile.in
new file mode 100644
index 0000000000..69e571d199
--- /dev/null
+++ b/bin/hooks/Makefile.in
@@ -0,0 +1,84 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_PRODUCT@
+
+@BIND9_DESCRIPTION@
+
+@BIND9_SRCID@
+
+@BIND9_CONFIGARGS@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+		${NS_INCLUDES} ${DNS_INCLUDES} \
+		${ISCCFG_INCLUDES} ${ISC_INCLUDES}
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+NSLIBS =	../../lib/ns/libns.@A@
+
+LIBS =
+
+SO_TARGETS =	lib/filter-aaaa.@SO@
+TARGETS =	@SO_TARGETS@
+
+SO_OBJS =	filter-aaaa.@O@
+SO_SRCS =	filter-aaaa.c
+
+OBJS =
+
+CFLAGS =	@CFLAGS@ @SO_CFLAGS@
+SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
+
+MANPAGES =	filter-aaaa.8
+
+HTMLPAGES =	filter-aaaa.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+lib/filter-aaaa.@SO@: filter-aaaa.@SO@
+	$(SHELL) ${top_srcdir}/mkinstalldirs `pwd`/lib
+	${LIBTOOL_MODE_INSTALL} ${INSTALL} filter-aaaa.@SO@ `pwd`/lib
+
+filter-aaaa.@SO@: filter-aaaa.@O@
+	${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ \
+		filter-aaaa.@O@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean::
+	rm -f filter-aaaa.so
+	rm -f ${TARGETS} ${OBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: filter-aaaa.@SO@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} filter-aaaa.@SO@ \
+		${DESTDIR}${libdir}
+	${INSTALL_DATA} ${srcdir}/filter-aaaa.8 ${DESTDIR}${mandir}/man8
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/filter-aaaa.@SO@
+	rm -f ${DESTDIR}${mandir}/man8/filter-aaaa.8
diff --git a/bin/hooks/filter-aaaa.8 b/bin/hooks/filter-aaaa.8
new file mode 100644
index 0000000000..f9204904c1
--- /dev/null
+++ b/bin/hooks/filter-aaaa.8
@@ -0,0 +1,116 @@
+.\" Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: filter-aaaa.so
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\"      Date: 2018-08-13
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "FILTER\-AAAA\&.SO" "8" "2018\-08\-13" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+filter-aaaa.so \- filter AAAA in DNS responses when A is present
+.SH "SYNOPSIS"
+.HP 28
+\fBhook query "filter\-aaaa\&.so"\fR [\fI{\ parameters\ }\fR];
+.SH "DESCRIPTION"
+.PP
+\fBfilter\-aaaa\&.so\fR
+is a query hook module for
+\fBnamed\fR, enabling
+\fBnamed\fR
+to omit some IPv6 addresses when responding to clients\&.
+.PP
+Until BIND 9\&.12, this feature was implemented natively in
+\fBnamed\fR
+and enabled with the
+\fBfilter\-aaaa\fR
+ACL and the
+\fBfilter\-aaaa\-on\-v4\fR
+and
+\fBfilter\-aaaa\-on\-v6\fR
+options\&. These options are now deprecated in
+named\&.conf, but can be passed as parameters to the
+\fBfilter\-aaaa\&.so\fR
+hook module, for example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+hook query "/usr/local/lib/filter\-aaaa\&.so" {
+        filter\-aaaa\-on\-v4 yes;
+        filter\-aaaa\-on\-v6 yes;
+        filter\-aaaa { 192\&.0\&.2\&.1; 2001:db8:2::1; };
+};
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This module is intended to aid transition from IPv4 to IPv6 by withholding IPv6 addresses from DNS clients which are not connected to the IPv6 Internet, when the name being looked up has an IPv4 address available\&. Use of this module is not recommended unless absolutely necessary\&.
+.PP
+Note: This mechanism can erroneously cause other servers not to give AAAA records to their clients\&. If a recursing server with both IPv6 and IPv4 network connections queries an authoritative server using this mechanism via IPv4, it will be denied AAAA records even if its client is using IPv6\&.
+.SH "OPTIONS"
+.PP
+\fBfilter\-aaaa\fR
+.RS 4
+Specifies a list of client addresses for which AAAA filtering is to be applied\&. The default is
+\fBany\fR\&.
+.RE
+.PP
+\fBfilter\-aaaa\-on\-v4\fR
+.RS 4
+If set to
+\fByes\fR, the DNS client is at an IPv4 address, in
+\fBfilter\-aaaa\fR, and if the response does not include DNSSEC signatures, then all AAAA records are deleted from the response\&. This filtering applies to all responses and not only authoritative responses\&.
+.sp
+If set to
+\fBbreak\-dnssec\fR, then AAAA records are deleted even when DNSSEC is enabled\&. As suggested by the name, this causes the response to fail to verify, because the DNSSEC protocol is designed to detect deletions\&.
+.sp
+This mechanism can erroneously cause other servers not to give AAAA records to their clients\&. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is using IPv6\&.
+.RE
+.PP
+\fBfilter\-aaaa\-on\-v6\fR
+.RS 4
+Identical to
+\fBfilter\-aaaa\-on\-v4\fR, except it filters AAAA responses to queries from IPv6 clients instead of IPv4 clients\&. To filter all responses, set both options to
+\fByes\fR\&.
+.RE
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2018 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/ns/filter-aaaa.c b/bin/hooks/filter-aaaa.c
similarity index 100%
rename from lib/ns/filter-aaaa.c
rename to bin/hooks/filter-aaaa.c
diff --git a/bin/hooks/filter-aaaa.docbook b/bin/hooks/filter-aaaa.docbook
new file mode 100644
index 0000000000..3a0581e9cd
--- /dev/null
+++ b/bin/hooks/filter-aaaa.docbook
@@ -0,0 +1,146 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.filter-aaaa">
+  <info>
+    <date>2018-08-13</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle><application>filter-aaaa.so</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>filter-aaaa.so</application></refname>
+    <refpurpose>filter AAAA in DNS responses when A is present</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2018</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>hook query "filter-aaaa.so"</command>
+      <arg choice="opt" rep="norepeat"><replaceable class="parameter">{ parameters }</replaceable></arg>;
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+    <para>
+      <command>filter-aaaa.so</command> is a query hook module for
+      <command>named</command>, enabling <command>named</command>
+      to omit some IPv6 addresses when responding to clients.
+    </para>
+    <para>
+      Until BIND 9.12, this feature was impleented natively in
+      <command>named</command> and enabled with the
+      <command>filter-aaaa</command> ACL and the
+      <command>filter-aaaa-on-v4</command> and
+      <command>filter-aaaa-on-v6</command> options. These options are
+      now deprecated in <filename>named.conf</filename>, but can be
+      passed as parameters to the <command>filter-aaaa.so</command>
+      hook module, for example:
+    </para>
+    <programlisting>
+hook query "/usr/local/lib/filter-aaaa.so" {
+        filter-aaaa-on-v4 yes;
+        filter-aaaa-on-v6 yes;
+        filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
+};
+</programlisting>
+    <para>
+      This module is intended to aid transition from IPv4 to IPv6 by
+      withholding IPv6 addresses from DNS clients which are not connected
+      to the IPv6 Internet, when the name being looked up has an IPv4
+      address available.  Use of this module is not recommended unless
+      absolutely necessary.
+    </para>
+    <para>
+      Note: This mechanism can erroneously cause other servers not to
+      give AAAA records to their clients.  If a recursing server with
+      both IPv6 and IPv4 network connections queries an authoritative
+      server using this mechanism via IPv4, it will be denied AAAA
+      records even if its client is using IPv6.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+    <variablelist>
+      <varlistentry>
+	<term><command>filter-aaaa</command></term>
+	<listitem>
+	  <para>
+	    Specifies a list of client addresses for which AAAA
+	    filtering is to be applied.  The default is
+	    <userinput>any</userinput>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term><command>filter-aaaa-on-v4</command></term>
+	<listitem>
+	  <para>
+	    If set to <userinput>yes</userinput>, the DNS client is
+	    at an IPv4 address, in <command>filter-aaaa</command>,
+	    and if the response does not include DNSSEC signatures,
+	    then all AAAA records are deleted from the response.
+	    This filtering applies to all responses and not only
+	    authoritative responses.
+	  </para>
+	  <para>
+	    If set to <userinput>break-dnssec</userinput>,
+	    then AAAA records are deleted even when DNSSEC is
+	    enabled.  As suggested by the name, this causes the
+	    response to fail to verify, because the DNSSEC protocol is
+	    designed to detect deletions.
+	  </para>
+	  <para>
+	    This mechanism can erroneously cause other servers not to
+	    give AAAA records to their clients.  A recursing server with
+	    both IPv6 and IPv4 network connections that queries an
+	    authoritative server using this mechanism via IPv4 will be
+	    denied AAAA records even if its client is using IPv6.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term><command>filter-aaaa-on-v6</command></term>
+	<listitem>
+	  <para>
+	    Identical to <command>filter-aaaa-on-v4</command>,
+	    except it filters AAAA responses to queries from IPv6
+	    clients instead of IPv4 clients.  To filter all
+	    responses, set both options to <userinput>yes</userinput>.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>
diff --git a/bin/hooks/filter-aaaa.html b/bin/hooks/filter-aaaa.html
new file mode 100644
index 0000000000..e505f4ead2
--- /dev/null
+++ b/bin/hooks/filter-aaaa.html
@@ -0,0 +1,115 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>filter-aaaa.so</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.filter-aaaa"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">filter-aaaa.so</span> &#8212; filter AAAA in DNS responses when A is present</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">hook query "filter-aaaa.so"</code>  [<em class="replaceable"><code>{ parameters }</code></em>];
+    </p></div>
+</div>
+<div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+<p>
+      <span class="command"><strong>filter-aaaa.so</strong></span> is a query hook module for
+      <span class="command"><strong>named</strong></span>, enabling <span class="command"><strong>named</strong></span>
+      to omit some IPv6 addresses when responding to clients.
+    </p>
+<p>
+      Until BIND 9.12, this feature was implemented natively in
+      <span class="command"><strong>named</strong></span> and enabled with the
+      <span class="command"><strong>filter-aaaa</strong></span> ACL and the
+      <span class="command"><strong>filter-aaaa-on-v4</strong></span> and
+      <span class="command"><strong>filter-aaaa-on-v6</strong></span> options. These options are
+      now deprecated in <code class="filename">named.conf</code>, but can be
+      passed as parameters to the <span class="command"><strong>filter-aaaa.so</strong></span>
+      hook module, for example:
+    </p>
+<pre class="programlisting">
+hook query "/usr/local/lib/filter-aaaa.so" {
+        filter-aaaa-on-v4 yes;
+        filter-aaaa-on-v6 yes;
+        filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
+};
+</pre>
+<p>
+      This module is intended to aid transition from IPv4 to IPv6 by
+      withholding IPv6 addresses from DNS clients which are not connected
+      to the IPv6 Internet, when the name being looked up has an IPv4
+      address available.  Use of this module is not recommended unless
+      absolutely necessary.
+    </p>
+<p>
+      Note: This mechanism can erroneously cause other servers not to
+      give AAAA records to their clients.  If a recursing server with
+      both IPv6 and IPv4 network connections queries an authoritative
+      server using this mechanism via IPv4, it will be denied AAAA
+      records even if its client is using IPv6.
+    </p>
+</div>
+<div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
+<dd><p>
+	    Specifies a list of client addresses for which AAAA
+	    filtering is to be applied.  The default is
+	    <strong class="userinput"><code>any</code></strong>.
+	  </p></dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
+<dd>
+<p>
+	    If set to <strong class="userinput"><code>yes</code></strong>, the DNS client is
+	    at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
+	    and if the response does not include DNSSEC signatures,
+	    then all AAAA records are deleted from the response.
+	    This filtering applies to all responses and not only
+	    authoritative responses.
+	  </p>
+<p>
+	    If set to <strong class="userinput"><code>break-dnssec</code></strong>,
+	    then AAAA records are deleted even when DNSSEC is
+	    enabled.  As suggested by the name, this causes the
+	    response to fail to verify, because the DNSSEC protocol is
+	    designed to detect deletions.
+	  </p>
+<p>
+	    This mechanism can erroneously cause other servers not to
+	    give AAAA records to their clients.  A recursing server with
+	    both IPv6 and IPv4 network connections that queries an
+	    authoritative server using this mechanism via IPv4 will be
+	    denied AAAA records even if its client is using IPv6.
+	  </p>
+</dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
+<dd><p>
+	    Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
+	    except it filters AAAA responses to queries from IPv6
+	    clients instead of IPv4 clients.  To filter all
+	    responses, set both options to <strong class="userinput"><code>yes</code></strong>.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/configure b/configure
index bbca641c1b..4839c207dc 100755
--- a/configure
+++ b/configure
@@ -21548,7 +21548,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/isc/Makefile bin/python/isc/utils.py bin/python/isc/tests/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/python/dnssec-keymgr.py bin/python/isc/__init__.py bin/python/isc/checkds.py bin/python/isc/coverage.py bin/python/isc/dnskey.py bin/python/isc/eventlist.py bin/python/isc/keydict.py bin/python/isc/keyevent.py bin/python/isc/keymgr.py bin/python/isc/keyseries.py bin/python/isc/keyzone.py bin/python/isc/policy.py bin/python/isc/rndc.py bin/python/isc/tests/dnskey_test.py bin/python/isc/tests/policy_test.py bin/rndc/Makefile bin/tests/Makefile bin/tests/headerdep_test.sh bin/tests/optional/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/dlzs.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/arm/noteversion.xml doc/arm/pkgversion.xml doc/arm/releaseinfo.xml doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/irs/tests/Makefile lib/isc/pthreads/Makefile lib/isc/pthreads/include/Makefile lib/isc/pthreads/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccc/tests/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/isccfg/tests/Makefile lib/ns/Makefile lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/unittest.sh fuzz/Makefile"
+ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/hooks/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/isc/Makefile bin/python/isc/utils.py bin/python/isc/tests/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/python/dnssec-keymgr.py bin/python/isc/__init__.py bin/python/isc/checkds.py bin/python/isc/coverage.py bin/python/isc/dnskey.py bin/python/isc/eventlist.py bin/python/isc/keydict.py bin/python/isc/keyevent.py bin/python/isc/keymgr.py bin/python/isc/keyseries.py bin/python/isc/keyzone.py bin/python/isc/policy.py bin/python/isc/rndc.py bin/python/isc/tests/dnskey_test.py bin/python/isc/tests/policy_test.py bin/rndc/Makefile bin/tests/Makefile bin/tests/headerdep_test.sh bin/tests/optional/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/dlzs.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/arm/noteversion.xml doc/arm/pkgversion.xml doc/arm/releaseinfo.xml doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/irs/tests/Makefile lib/isc/pthreads/Makefile lib/isc/pthreads/include/Makefile lib/isc/pthreads/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccc/tests/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/isccfg/tests/Makefile lib/ns/Makefile lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/unittest.sh fuzz/Makefile"
 
 
 #
@@ -22558,6 +22558,7 @@ do
     "bin/delv/Makefile") CONFIG_FILES="$CONFIG_FILES bin/delv/Makefile" ;;
     "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
+    "bin/hooks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/hooks/Makefile" ;;
     "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
     "bin/named/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/unix/Makefile" ;;
     "bin/nsupdate/Makefile") CONFIG_FILES="$CONFIG_FILES bin/nsupdate/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index af7f90cead..b7f1037712 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2957,6 +2957,7 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
+	bin/hooks/Makefile
 	bin/named/Makefile
 	bin/named/unix/Makefile
 	bin/nsupdate/Makefile
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index d03dfa1434..00e5142d41 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6432,69 +6432,6 @@ options {
 	      </listitem>
 	    </varlistentry>
 
-	    <varlistentry>
-	      <term><command>filter-aaaa-on-v4</command></term>
-	      <listitem>
-		<para>
-		  This option is intended to help the
-		  transition from IPv4 to IPv6 by not giving IPv6 addresses
-		  to DNS clients unless they have connections to the IPv6
-		  Internet.  This is not recommended unless absolutely
-		  necessary.  The default is <userinput>no</userinput>.
-		  The <command>filter-aaaa-on-v4</command> option
-		  may also be specified in <command>view</command> statements
-		  to override the global <command>filter-aaaa-on-v4</command>
-		  option.
-		</para>
-		<para>
-		  If <userinput>yes</userinput>,
-		  the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
-		  and if the response does not include DNSSEC signatures,
-		  then all AAAA records are deleted from the response.
-		  This filtering applies to all responses and not only
-		  authoritative responses.
-		</para>
-		<para>
-		  If <userinput>break-dnssec</userinput>,
-		  then AAAA records are deleted even when DNSSEC is enabled.
-		  As suggested by the name, this makes the response not verify,
-		  because the DNSSEC protocol is designed detect deletions.
-		</para>
-		<para>
-		  This mechanism can erroneously cause other servers to
-		  not give AAAA records to their clients.
-		  A recursing server with both IPv6 and IPv4 network connections
-		  that queries an authoritative server using this mechanism
-		  via IPv4 will be denied AAAA records even if its client is
-		  using IPv6.
-		</para>
-		<para>
-		  This mechanism is applied to authoritative as well as
-		  non-authoritative records.
-		  A client using IPv4 that is not allowed recursion can
-		  erroneously be given AAAA records because the server is not
-		  allowed to check for A records.
-		</para>
-		<para>
-		  Some AAAA records are given to IPv4 clients in glue records.
-		  IPv4 clients that are servers can then erroneously
-		  answer requests for AAAA records received via IPv4.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>filter-aaaa-on-v6</command></term>
-	      <listitem>
-		<para>
-		  Identical to <command>filter-aaaa-on-v4</command>,
-		  except it filters AAAA responses to queries from IPv6
-		  clients instead of IPv4 clients.  To filter all
-		  responses, set both options to <userinput>yes</userinput>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
 	    <varlistentry>
 	      <term><command>ixfr-from-differences</command></term>
 	      <listitem>
@@ -7347,18 +7284,6 @@ options {
 	      </listitem>
 	    </varlistentry>
 
-	    <varlistentry>
-	      <term><command>filter-aaaa</command></term>
-	      <listitem>
-		<para>
-		  Specifies a list of addresses to which
-		  <command>filter-aaaa-on-v4</command>
-		  and <command>filter-aaaa-on-v6</command>
-		  apply.  The default is <userinput>any</userinput>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
 	    <varlistentry>
 	      <term><command>keep-response-order</command></term>
 	      <listitem>
@@ -18351,6 +18276,7 @@ allow-query { !{ !10/8; any; }; key example; };
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-signzone.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-verify.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/dnstap-read.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/hooks/filter-aaaa.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/host.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/mdig.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/check/named-checkconf.docbook"/>
diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html
new file mode 100644
index 0000000000..ad4c62b5a7
--- /dev/null
+++ b/doc/arm/man.filter-aaaa.html
@@ -0,0 +1,153 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>filter-aaaa.so</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
+<link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
+<link rel="next" href="man.host.html" title="host">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">filter-aaaa.so</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry">
+<a name="man.filter-aaaa"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">filter-aaaa.so</span> &#8212; filter AAAA in DNS responses when A is present</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">hook query "filter-aaaa.so"</code>  [<em class="replaceable"><code>{ parameters }</code></em>];
+    </p></div>
+</div>
+<div class="refsection">
+<a name="id-1.13.19.7"></a><h2>DESCRIPTION</h2>
+<p>
+      <span class="command"><strong>filter-aaaa.so</strong></span> is a query hook module for
+      <span class="command"><strong>named</strong></span>, enabling <span class="command"><strong>named</strong></span>
+      to omit some IPv6 addresses when responding to clients.
+    </p>
+<p>
+      Until BIND 9.12, this feature was impleented natively in
+      <span class="command"><strong>named</strong></span> and enabled with the
+      <span class="command"><strong>filter-aaaa</strong></span> ACL and the
+      <span class="command"><strong>filter-aaaa-on-v4</strong></span> and
+      <span class="command"><strong>filter-aaaa-on-v6</strong></span> options. These options are
+      now deprecated in <code class="filename">named.conf</code>, but can be
+      passed as parameters to the <span class="command"><strong>filter-aaaa.so</strong></span>
+      hook module, for example:
+    </p>
+<pre class="programlisting">
+hook query "/usr/local/lib/filter-aaaa.so" {
+        filter-aaaa-on-v4 yes;
+        filter-aaaa-on-v6 yes;
+        filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
+};
+</pre>
+<p>
+      This module is intended to aid transition from IPv4 to IPv6 by
+      withholding IPv6 addresses from DNS clients which are not connected
+      to the IPv6 Internet, when the name being looked up has an IPv4
+      address available.  Use of this module is not recommended unless
+      absolutely necessary.
+    </p>
+<p>
+      Note: This mechanism can erroneously cause other servers not to
+      give AAAA records to their clients.  If a recursing server with
+      both IPv6 and IPv4 network connections queries an authoritative
+      server using this mechanism via IPv4, it will be denied AAAA
+      records even if its client is using IPv6.
+    </p>
+</div>
+<div class="refsection">
+<a name="id-1.13.19.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
+<dd><p>
+	    Specifies a list of client addresses for which AAAA
+	    filtering is to be applied.  The default is
+	    <strong class="userinput"><code>any</code></strong>.
+	  </p></dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
+<dd>
+<p>
+	    If set to <strong class="userinput"><code>yes</code></strong>, the DNS client is
+	    at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
+	    and if the response does not include DNSSEC signatures,
+	    then all AAAA records are deleted from the response.
+	    This filtering applies to all responses and not only
+	    authoritative responses.
+	  </p>
+<p>
+	    If set to <strong class="userinput"><code>break-dnssec</code></strong>,
+	    then AAAA records are deleted even when DNSSEC is
+	    enabled.  As suggested by the name, this causes the
+	    response to fail to verify, because the DNSSEC protocol is
+	    designed to detect deletions.
+	  </p>
+<p>
+	    This mechanism can erroneously cause other servers not to
+	    give AAAA records to their clients.  A recursing server with
+	    both IPv6 and IPv4 network connections that queries an
+	    authoritative server using this mechanism via IPv4 will be
+	    denied AAAA records even if its client is using IPv6.
+	  </p>
+</dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
+<dd><p>
+	    Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
+	    except it filters AAAA responses to queries from IPv6
+	    clients instead of IPv4 clients.  To filter all
+	    responses, set both options to <strong class="userinput"><code>yes</code></strong>.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsection">
+<a name="id-1.13.19.9"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnstap-read</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> host</td>
+</tr>
+</table>
+</div>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
+</body>
+</html>
diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in
index ede65f8674..e785969b51 100644
--- a/lib/ns/Makefile.in
+++ b/lib/ns/Makefile.in
@@ -54,8 +54,7 @@ SRCS =		client.c hooks.c interfacemgr.c lib.c listenlist.c \
 
 SUBDIRS =	include
 TESTDIRS =	@UNITTESTS@
-SO_TARGETS =    filter-aaaa.@SO@
-TARGETS =	timestamp @SO_TARGETS@
+TARGETS =	timestamp
 
 SO_CFLAGS =	@CFLAGS@ @SO_CFLAGS@
 SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
@@ -84,14 +83,6 @@ libns.la: ${OBJS}
 timestamp: libns.@A@
 	touch timestamp
 
-filter-aaaa.@O@: filter-aaaa.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} ${SO_CFLAGS} \
-		-c ${srcdir}/filter-aaaa.c
-
-filter-aaaa.@SO@: filter-aaaa.o libns.@A@
-	${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ filter-aaaa.o \
-		${ISCLIBS} ${DNSLIBS} libns.@A@ ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${DNSLIBS} ${LIBS}
-
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 
@@ -103,4 +94,4 @@ uninstall::
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
 
 clean distclean::
-	rm -f libns.@A@ timestamp filter-aaaa.@O@ filter-aaaa.@SO@
+	rm -f libns.@A@ timestamp