How to disable IPv6 AAAA dynamic updates?

Denis Laventure Denis_Laventure at uqac.ca
Fri Mar 7 14:50:40 UTC 2008 

Mark Andrews a écrit :
>> Chris Thompson a écrit :
>>     
>>> On Mar 6 2008, Denis Laventure wrote:
>>>
>>>       
>>>> We have a DDNS setup with IPv4 only (Bind 9.4.2). With Vista and IPv6 
>>>> (activated by default) we always get AAAA entries on our DDNS tables. 
>>>> I tried to disable IPv6 with -4 on named command line, I added 
>>>> listen-on-v6 { none; }; to my config, I disabled IPv6 on my OS... 
>>>>         
>>> All those are to do with whether BIND will listen for requests on IPv6
>>> connections, or talk to other nameservers over IPv6. They say nothing
>>> about what sort of record types it will handle, and its a category 
>>> error to think that it might. It's like thinking that if a nameserver
>>> doesn't use e-mail it would refuse to handle MX records.
>>>
>>>       
>> I know that was for 'listening' but I had to try since didn't know how 
>> to do it.
>>     
>>>> Nothing works, I still get AAAA added to my forward table.
>>>>
>>>> Is there a way to disable IPv6 dynamic updates from IPv6 clients in 
>>>> bind?
>>>>         
>>> Well, you might be able to use "update-policy" to forbid updates to type
>>> AAAA records, but that assumes your update requests are signed. Are they?
>>>
>>>       
>> The updates are not signed on this DNS server. We're in the process of 
>> moving to another one that have updates from DHCP only, no client will 
>> be allowed to update directly. BUT, our domain servers (Windows Server 
>> 2003) will, and the updates are not signed (we're waiting for Bind 9.5 
>> GSS-TSIG for this). They seems to add AAAA records even if we disable 
>> IPv6 on the interface.
>>
>> I will check the update-policy clause.
>>
>> Denis Laventure
>>     
>
> 	Well you should talk to Microsoft as this appears to be a
> 	bug in Windows.  If the interface has IPv6 disabled there
> 	should be no AAAA records being added to the DNS.
>
> 	If the interface does have IPv6 enabled then it is perfectly
> 	reasonable to add the AAAA addresses to the DNS.
>
> 	BIND is not the place to fix this issue.
>
> 	Mark
>   
Our servers are Windows Server 2008 not 2003. I found an article on 
microsoft technet that explain how to disable ipv6 with a registry key. 
Disabling ipv6 on the interface is not enough on Vista and 2008... Now I 
don't have AAAA record in my DNS.
Denis

More information about the bind-users mailing list