filter-aaaa-on-v4 does not filter AAAA if there is no existing A Record with the same FQDN - working as designed?

addie addie at gmx.ch
Tue Jan 24 11:53:14 UTC 2017 

Hi all,
 
I am not sure if the following behavior is working as designed or not.
I have configured filter-aaaa-on-v4 to yes on my DNS Server.

Regarding this filter option, I have a working and a non working example:

Working example (AAAA was filtered):

# dig www.google.com. AAAA +noall +answer +comments
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2 <<>> www.google.com. AAAA +noall +answer +comments
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26914
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


Non working example (AAAA was NOT filtered!):

# dig ipv6.msftconnecttest.com AAAA +noall +answer +comments
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2 <<>> ipv6.msftconnecttest.com AAAA +noall +answer +comments
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44238
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 0
;; ANSWER SECTION:
ipv6.msftconnecttest.com. 900   IN      CNAME   v6ncsi.msedge.net.
v6ncsi.msedge.net.      60      IN      CNAME   ncsi.6-c-0003.c-msedge.net.
ncsi.6-c-0003.c-msedge.net. 60  IN      CNAME   6-c-0003.c-msedge.net.
6-c-0003.c-msedge.net.  60      IN      AAAA    2a01:111:2003::52


As you can see in the second query the AAAA record was not filtered out of the response!


As a remark of the examples above:
- for www.google.com. there is an existing A-Record.
- for ipv6.msftconnecttest.com there is NO existing A-Record (AAAA only).


There also additional AAAA only Records with the same behavior where the AAAA records will not filtered out as well:
ipv6.google.com
loopsofzen.co.uk
ipv6.cybernode.com
v6.vvv.facebook.com

Question:
is this working as designed or not? if yes, for which reasons?
I expected that this filter will filter every AAAA record. I don't see any reason why this should work partialy.
Our goal is that no DNS Client should receive AAAA records, because there is no IPv6 connectivity from local network to the internet at all.  

Any advice would be helpful.

More information about the bind-users mailing list