How to disable IPv6 AAAA dynamic updates?

Danny Mayer mayer at gis.net
Tue Mar 11 02:13:43 UTC 2008 

Denis Laventure wrote:
> Mark Andrews a écrit :
>>> Chris Thompson a écrit :
>>>     
>>>> On Mar 6 2008, Denis Laventure wrote:
>>>>
>>>>       
>>>>> We have a DDNS setup with IPv4 only (Bind 9.4.2). With Vista and IPv6 
>>>>> (activated by default) we always get AAAA entries on our DDNS tables. 
>>>>> I tried to disable IPv6 with -4 on named command line, I added 
>>>>> listen-on-v6 { none; }; to my config, I disabled IPv6 on my OS... 
>>>>>         
>>>> All those are to do with whether BIND will listen for requests on IPv6
>>>> connections, or talk to other nameservers over IPv6. They say nothing
>>>> about what sort of record types it will handle, and its a category 
>>>> error to think that it might. It's like thinking that if a nameserver
>>>> doesn't use e-mail it would refuse to handle MX records.
>>>>
>>>>       
>>> I know that was for 'listening' but I had to try since didn't know how 
>>> to do it.
>>>     
>>>>> Nothing works, I still get AAAA added to my forward table.
>>>>>
>>>>> Is there a way to disable IPv6 dynamic updates from IPv6 clients in 
>>>>> bind?
>>>>>         
>>>> Well, you might be able to use "update-policy" to forbid updates to type
>>>> AAAA records, but that assumes your update requests are signed. Are they?
>>>>
>>>>       
>>> The updates are not signed on this DNS server. We're in the process of 
>>> moving to another one that have updates from DHCP only, no client will 
>>> be allowed to update directly. BUT, our domain servers (Windows Server 
>>> 2003) will, and the updates are not signed (we're waiting for Bind 9.5 
>>> GSS-TSIG for this). They seems to add AAAA records even if we disable 
>>> IPv6 on the interface.
>>>
>>> I will check the update-policy clause.
>>>
>>> Denis Laventure
>>>     
>> 	Well you should talk to Microsoft as this appears to be a
>> 	bug in Windows.  If the interface has IPv6 disabled there
>> 	should be no AAAA records being added to the DNS.
>>
>> 	If the interface does have IPv6 enabled then it is perfectly
>> 	reasonable to add the AAAA addresses to the DNS.
>>
>> 	BIND is not the place to fix this issue.
>>
>> 	Mark
>>   
> Our servers are Windows Server 2008 not 2003. I found an article on 
> microsoft technet that explain how to disable ipv6 with a registry key. 
> Disabling ipv6 on the interface is not enough on Vista and 2008... Now I 
> don't have AAAA record in my DNS.
> Denis

netsh interface ipv6 uninstall

Danny

More information about the bind-users mailing list