Well, if that's the case then something is broken in the build.
I want to note that what follows fist is under Debian 10; I will discuss Debian 11 at the very bottom, as it is broken in a different manner..
The ICS manual says:
an options statement to enable it (for example, filter-aaaa-on-v4 yes; and/or filter-aaaa-on-v6 yes;) must be declared in named.conf.
And so I edited my named.conf file by including: filter-aaaa-on-v6 yes
BIND9 would not restart and generated the error:
Code: Select all
[b]May 08 09:58:05 Mail named[11869]: /etc/bind/named.conf:12: unknown option 'filter-aaaa-on-v6'
May 08 09:58:05 Mail named[11869]: loading configuration: failure
May 08 09:58:05 Mail named[11869]: exiting (due to fatal error)[/b]
I commented out the offending line in named.conf and BIND9 to successfully load like normal.
The manual says:
If filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec instead of yes, then AAAA records will be omitted even if they are signed. RRSIG records covering type AAAA will be omitted as well.
I put the commands in the named.conf.options instead. So these two lines were added.
filter-aaaa-on-v4 break-dnssec;
filter-aaaa-on-v6 break-dnssec;
BIND loaded but the filtering didn't work.
Here's the top of restart section:
Code: Select all
May 8 10:35:24 Mail named[12234]: starting BIND 9.11.5-P4-5.1+deb10u7-Debian (Extended Support Version) <id:998753c>
May 8 10:35:24 Mail named[12234]: running on Linux x86_64 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17)
May 8 10:35:24 Mail named[12234]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--disable-isc-spnego' '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-PHgl7y/bind9-9.11.5.P4+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
May 8 10:35:24 Mail named[12234]: running as: named -u bind
May 8 10:35:24 Mail named[12234]: compiled by GCC 8.3.0
May 8 10:35:24 Mail named[12234]: compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
May 8 10:35:24 Mail named[12234]: linked to OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
May 8 10:35:24 Mail named[12234]: compiled with libxml2 version: 2.9.4
May 8 10:35:24 Mail named[12234]: linked to libxml2 version: 20904
May 8 10:35:24 Mail named[12234]: compiled with libjson-c version: 0.12.1
May 8 10:35:24 Mail named[12234]: linked to libjson-c version: 0.12.1
May 8 10:35:24 Mail named[12234]: threads support is enabled
May 8 10:35:24 Mail named[12234]: ----------------------------------------------------
May 8 10:35:24 Mail named[12234]: BIND 9 is maintained by Internet Systems Consortium,
May 8 10:35:24 Mail named[12234]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
May 8 10:35:24 Mail named[12234]: corporation. Support and training for BIND 9 are
May 8 10:35:24 Mail named[12234]: available at https://www.isc.org/support
May 8 10:35:24 Mail named[12234]: ----------------------------------------------------
May 8 10:35:24 Mail named[12234]: adjusted limit on open files from 524288 to 1048576
May 8 10:35:24 Mail named[12234]: found 1 CPU, using 1 worker thread
May 8 10:35:24 Mail named[12234]: using 1 UDP listener per interface
May 8 10:35:24 Mail named[12234]: using up to 4096 sockets
May 8 10:35:24 Mail named[12234]: loading configuration from '/etc/bind/named.conf'
May 8 10:35:24 Mail named[12234]: reading built-in trust anchors from file '/etc/bind/bind.keys'
May 8 10:35:24 Mail named[12234]: initializing GeoIP Country (IPv4) (type 1) DB
May 8 10:35:24 Mail named[12234]: GEO-106FREE 20181108 Build
May 8 10:35:24 Mail named[12234]: initializing GeoIP Country (IPv6) (type 12) DB
May 8 10:35:24 Mail named[12234]: GEO-106FREE 20181108 Build
May 8 10:35:24 Mail named[12234]: GeoIP City (IPv4) (type 2) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP City (IPv4) (type 6) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP City (IPv6) (type 30) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP City (IPv6) (type 31) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP Region (type 3) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP Region (type 7) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP ISP (type 4) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP Org (type 5) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP AS (type 9) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP Domain (type 11) DB not available
May 8 10:35:24 Mail named[12234]: GeoIP NetSpeed (type 10) DB not available
May 8 10:35:24 Mail named[12234]: using default UDP/IPv4 port range: [32768, 60999]
May 8 10:35:24 Mail named[12234]: using default UDP/IPv6 port range: [32768, 60999]
May 8 10:35:24 Mail named[12234]: listening on IPv6 interfaces, port 53
May 8 10:35:24 Mail named[12234]: listening on IPv4 interface lo, 127.0.0.1#53
May 8 10:35:24 Mail named[12234]: listening on IPv4 interface enp0s8, 192.168.1.74#53
May 8 10:35:24 Mail named[12234]: generating session key for dynamic DNS
May 8 10:35:24 Mail named[12234]: sizing zone task pool based on 7 zones
May 8 10:35:24 Mail named[12234]: none:106: 'max-cache-size 90%' - setting to 5367MB (out of 5964MB)
May 8 10:35:24 Mail named[12234]: obtaining root key for view _default from '/etc/bind/bind.keys'
May 8 10:35:24 Mail named[12234]: set up managed keys zone for view _default, file 'managed-keys.bind'
It loads the standard stuff and then...
Code: Select all
May 8 10:35:24 Mail named[12234]: all zones loaded
May 8 10:35:24 Mail named[12234]: running
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:dc3::35#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:200::b#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:7fe::53#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:7fd::1#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:1::53#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 8 10:35:24 Mail named[12234]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 8 10:35:25 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:500:1::53#53
May 8 10:35:25 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:500:9f::42#53
May 8 10:35:25 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:c27::2:30#53
May 8 10:35:25 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:7fe::53#53
May 8 10:35:25 Mail named[12234]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
May 8 10:35:25 Mail named[12234]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:a83e::2:30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:231d::2:30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:eea3::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:501:b1f9::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:83eb::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:502:8cc::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:500:d937::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:d414::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:502:7094::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:d2d::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:502:1ca1::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:500:856e::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:503:39c1::30#53
May 8 10:35:26 Mail named[12234]: resolver priming query complete
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:4860:4802:36::a#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:4860:4802:32::a#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:4860:4802:34::a#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'www.google.com/A/IN': 2001:4860:4802:38::a#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'google.com/DS/IN': 2001:503:eea3::30#53
May 8 10:35:26 Mail named[12234]: network unreachable resolving 'google.com/DS/IN': 2001:500:d937::30#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'nexus.officeapps.live.com/A/IN': 2603:1061:0:10::22#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2001:500:40::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2001:500:e::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2001:500:f::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2001:500:b::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2001:500:19::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2001:500:49::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/A/IN': 2001:500:b::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2001:500:c::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/A/IN': 2001:500:c::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2001:500:1c::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2001:500:1a::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2001:500:48::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/A/IN': 2001:500:48::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2001:500:1a::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2001:500:1b::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2001:500:1b::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2001:500:41::1#53
May 8 10:36:03 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2001:500:41::1#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2a01:111:4000::3#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2a01:111:4000::1#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2a01:111:4000::4#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns7-34.azure-dns.org/AAAA/IN': 2a01:111:4000::2#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns2-34.azure-dns.net/AAAA/IN': 2620:1ec:8ec::2#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns2-34.azure-dns.net/AAAA/IN': 2620:1ec:8ec::3#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns2-34.azure-dns.net/AAAA/IN': 2620:1ec:8ec::4#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns2-34.azure-dns.net/AAAA/IN': 2620:1ec:8ec::1#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns2-34.azure-dns.net/A/IN': 2620:1ec:8ec::4#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns2-34.azure-dns.net/A/IN': 2620:1ec:8ec::3#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2620:1ec:bda::2#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2620:1ec:bda::1#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2620:1ec:bda::4#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/AAAA/IN': 2620:1ec:bda::3#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'ns8-34.azure-dns.info/A/IN': 2620:1ec:bda::2#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'a5-130.akagtm.org/A/IN': 2001:500:c::1#53
May 8 10:36:04 Mail named[12234]: network unreachable resolving 'a5-130.akagtm.org/AAAA/IN': 2001:500:c::1#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f0fc:c:face:b00c:0:35#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f0fd:c:face:b00c:0:35#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f1fd:c:face:b00c:0:35#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f1fc:c:face:b00c:0:35#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f1fc:b:face:b00c:0:99#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f0fd:b:face:b00c:0:99#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f1fd:b:face:b00c:0:99#53
May 8 10:36:11 Mail named[12234]: network unreachable resolving 'star.c10r.facebook.com/A/IN': 2a03:2880:f0fc:b:face:b00c:0:99#53
May 8 10:36:40 Mail named[12234]: network unreachable resolving 'verywellaged.com/A/IN': 2001:503:231d::2:30#53
And on and on...
Debian 11 is giving me:
Code: Select all
May 8 14:20:06 Server named[11287]: /etc/bind/named.conf.options:23: option 'filter-aaaa-on-v4' is obsolete and should be removed
May 8 14:20:06 Server named[11287]: /etc/bind/named.conf.options:23: option 'filter-aaaa-on-v6' is obsolete and should be removed
and then BIND9 fails. (I had to remove the lines.) And then the flood of IPv6 "network unreachable resolving" starts once BIND runs.