<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><blockquote type="cite" class=""><div class="">On Apr 14, 2019, at 5:35 PM, Carl Byington via bind-users <<a href="mailto:bind-users@lists.isc.org" class="">bind-users@lists.isc.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">-----BEGIN PGP SIGNED MESSAGE-----<br class="">Hash: SHA512<br class=""><br class="">view "normal" {<br class=""> plugin query "filter-aaaa.so" {<br class=""> filter-aaaa-on-v4 yes;<br class=""> filter-aaaa { "brokenv6"; };<br class=""> };<br class="">....<br class=""><br class="">named-checkconf likes that, but named gets a segfault in filter-aaaa.so.<br class="">Anyone using filter-aaaa.so in a working configuation? The log shows:<br class=""><br class=""></div></blockquote><div class=""><br class=""></div>Hi Carl,<div class=""><br class=""></div><div class="">I think I know what the problem is. We added a new ‘feature’ in BIND 9.14.0, support for plug-in modules to modify query processing. The first module we created was to support the filter-aaaa function.</div><div class=""><br class=""></div><div class="">As a result, you have to change the syntax for configuring this feature. This was release-noted, but I see it was not clearly stated in the release note that this is a non-backwards compatible change, and requires a configuration update. </div><div class=""><br class=""></div><div class=""><pre class="highlight code" lang="html"><span id="LC335" class="line" lang="html">5106. [experimental] A new "plugin" mechanism has been added to allow</span>
<span id="LC336" class="line" lang="html"> extension of query processing functionality through</span>
<span id="LC337" class="line" lang="html"> the use of dynamically loadable libraries. A</span>
<span id="LC338" class="line" lang="html"> "filter-aaaa.so" plugin has been implemented,</span>
<span id="LC339" class="line" lang="html"> replacing the filter-aaaa feature that was formerly</span>
<span id="LC340" class="line" lang="html"> implemented as a native part of BIND.</span>
<span id="LC341" class="line" lang="html"></span>
<span id="LC342" class="line" lang="html"> The "filter-aaaa", "filter-aaaa-on-v4" and</span>
<span id="LC343" class="line" lang="html"> "filter-aaaa-on-v6" options can no longer be</span>
<span id="LC344" class="line" lang="html"> configured using native named.conf syntax. However,</span>
<span id="LC345" class="line" lang="html"> loading the filter-aaaa.so plugin and setting its</span>
<span id="LC346" class="line" lang="html"> parameters provides identical functionality.</span>
<span id="LC347" class="line" lang="html"></span>
<span id="LC348" class="line" lang="html"> Note that the plugin API is a work in progress and</span>
<span id="LC349" class="line" lang="html"> is likely to evolve as further plugins are</span>
<span id="LC350" class="line" lang="html"> implemented. [GL #15]</span>
</pre><div class="">From the ARM:</div><div class="">
<div class="page" title="Page 244">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 11.000000pt; font-family: 'NimbusSanL'; font-weight: 700" class="">DESCRIPTION
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa.so </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">is a query plugin module for </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">named</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">, enabling </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">named </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">to omit some IPv6 addresses
when responding to clients.
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">Until BIND 9.12, this feature was implemented natively in </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">named </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">and enabled with the </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-
aaaa </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">ACL and the </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa-on-v4 </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">and </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa-on-v6 </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">options. These options are now depre-
cated in </span><span style="font-size: 10.000000pt; font-family: 'NimbusMonL'" class="">named.conf</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">, but can be passed as parameters to the </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa.so </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">plugin, for example:
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">This module is intended to aid transition from IPv4 to IPv6 by withholding IPv6 addresses from
DNS clients which are not connected to the IPv6 Internet, when the name being looked up has
an IPv4 address available. Use of this module is not recommended unless absolutely necessary.
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">Note: This mechanism can erroneously cause other servers not to give AAAA records to their
clients. If a recursing server with both IPv6 and IPv4 network connections queries an authori-
tative server using this mechanism via IPv4, it will be denied AAAA records even if its client is
using IPv6.
</span></p><p class=""><span style="font-size: 11.000000pt; font-family: 'NimbusSanL'; font-weight: 700" class="">OPTIONS
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">Specifies a list of client addresses for which AAAA filtering is to be applied. The default
is </span><span style="font-size: 10.000000pt; font-family: 'NimbusMonL'; font-weight: 700" class="">any</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">.
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa-on-v4<br class="">
</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">If set to </span><span style="font-size: 10.000000pt; font-family: 'NimbusMonL'; font-weight: 700" class="">yes</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">, the DNS client is at an IPv4 address, in </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">, and if the response does
not include DNSSEC signatures, then all AAAA records are deleted from the response.
This filtering applies to all responses and not only authoritative responses.
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">If set to </span><span style="font-size: 10.000000pt; font-family: 'NimbusMonL'; font-weight: 700" class="">break-dnssec</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">, then AAAA records are deleted even when DNSSEC is enabled.
As suggested by the name, this causes the response to fail to verify, because the DNSSEC
protocol is designed to detect deletions.
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">This mechanism can erroneously cause other servers not to give AAAA records to their
clients. A recursing server with both IPv6 and IPv4 network connections that queries an
authoritative server using this mechanism via IPv4 will be denied AAAA records even if
its client is using IPv6.
</span></p><p class=""><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa-on-v6<br class="">
</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">Identical to </span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'; font-weight: 700" class="">filter-aaaa-on-v4</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">, except it filters AAAA responses to queries from IPv6 clients
instead of IPv4 clients. To filter all responses, set both options to </span><span style="font-size: 10.000000pt; font-family: 'NimbusMonL'; font-weight: 700" class="">yes</span><span style="font-size: 10.000000pt; font-family: 'URWPalladioL'" class="">. </span></p>
</div>
</div>
</div></div><div><br class=""></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Victoria Risk</div><div class="">Product Manager</div><div class="">Internet Systems Consortium</div><div class=""><a href="mailto:vicky@isc.org" class="">vicky@isc.org</a></div><div class=""><br class=""></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""></div></body></html>