[master] "enable-filter-aaaa" no longer optional

4786. [func] The "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options are no longer conditionally compiled. [RT #46340]
2026-05-28 04:34:54 -04:00 · 2017-10-25 00:33:51 -07:00 · 2017-10-25 00:33:51 -07:00 · 65314b0fd8
commit 65314b0fd8
parent 80739779fc
18 changed files with 33 additions and 163 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
+			options are no longer conditionally compiled.
+			[RT #46340]
+
 4785.	[func]		The hmac-md5 algorithm is no longer recommended for
 			use with RNDC keys. For compatibility reasons, it
 			it is still the default algorithm in rndc-confgen,
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -156,12 +156,10 @@ options {\n\
 #	fetch-glue <obsolete>;\n\
 	fetch-quota-params 100 0.1 0.3 0.7;\n\
 	fetches-per-server 0;\n\
-	fetches-per-zone 0;\n"
-#ifdef ALLOW_FILTER_AAAA
-"	filter-aaaa-on-v4 no;\n\
+	fetches-per-zone 0;\n\
+	filter-aaaa-on-v4 no;\n\
 	filter-aaaa-on-v6 no;\n\
 	filter-aaaa { any; };\n"
-#endif
 #ifdef HAVE_GEOIP
 "	geoip-use-ecs yes;\n"
 #endif
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -4874,7 +4874,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 					      dns_quotatype_zone, r);
 	}

-#ifdef ALLOW_FILTER_AAAA
 	obj = NULL;
 	result = named_config_get(maps, "filter-aaaa-on-v4", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@ -4909,7 +4908,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,

 	CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
 				 actx, named_g_mctx, &view->aaaa_acl));
-#endif
+
 	obj = NULL;
 	result = named_config_get(maps, "prefetch", &obj);
 	if (result == ISC_R_SUCCESS) {
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@ -36,7 +36,6 @@ usage() {
 	fprintf(stderr, "args:\n");
 	fprintf(stderr, "	--edns-version\n");
 	fprintf(stderr, "	--enable-dnsrps\n");
-	fprintf(stderr, "	--enable-filter-aaaa\n");
 	fprintf(stderr, "	--gethostname\n");
 	fprintf(stderr, "	--gssapi\n");
 	fprintf(stderr, "	--have-dlopen\n");
@ -63,14 +62,6 @@ main(int argc, char **argv) {
 #endif
 	}

-	if (strcmp(argv[1], "--enable-filter-aaaa") == 0) {
-#ifdef ALLOW_FILTER_AAAA
-		return (0);
-#else
-		return (1);
-#endif
-	}
-
 	if (strcmp(argv[1], "--edns-version") == 0) {
 #ifdef DNS_EDNS_VERSION
 		printf("%d\n", DNS_EDNS_VERSION);
--- a/bin/tests/system/filter-aaaa/prereq.sh
+++ b/bin/tests/system/filter-aaaa/prereq.sh
@ -1,16 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) 2010, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-$FEATURETEST --enable-filter-aaaa || {
-    echo "I:This test requires --enable-filter-aaaa at compile time." >&2
-    exit 255
-}
-exit 0
--- a/config.h.in
+++ b/config.h.in
@ -141,10 +141,6 @@ int sigwait(const unsigned int *set, int *sig);
 /* Use AES for Client Cookie generation */
 #undef AES_CC

-/* Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.
-   */
-#undef ALLOW_FILTER_AAAA
-
 /* define if ATF unit tests are to be built. */
 #undef ATF_TEST

--- a/config.h.win32
+++ b/config.h.win32
@ -306,10 +306,6 @@ typedef __int64 off_t;
 /* Define to the sockaddr length type used by getnameinfo(3). */
 #define IRS_GETNAMEINFO_SOCKLEN_T socklen_t

-/* Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.
-   */
-@ALLOW_FILTER_AAAA@
-
 /* Define to enable "rrset-order fixed" syntax. */
@DNS_RDATASET_FIXED@

--- a/41
+++ b/41
@ -940,6 +940,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@ -1033,7 +1034,6 @@ enable_dnsrps_dl
 with_dnsrps_libname
 with_dnsrps_dir
 enable_dnsrps
-enable_filter_aaaa
 enable_dnstap
 with_protobuf_c
 with_libfstrm
@ -1103,6 +1103,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1355,6 +1356,15 @@ do
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;

+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1492,7 +1502,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
@ -1645,6 +1655,7 @@ Fine tuning of the installation directories:
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@ -1719,7 +1730,6 @@ Optional Features:
  --disable-rpz-nsdname	  disable rpz nsdname rules [default=enabled]
  --enable-dnsrps-dl	  DNS Response Policy Service delayed link [default=$librpz_dl]
  --enable-dnsrps         enable DNS Response Policy Service API
-  --enable-filter-aaaa    enable filtering of AAAA records [default=no]
  --enable-dnstap         enable dnstap support (requires fstrm, protobuf-c)
  --enable-querytrace     enable very verbose query trace logging [default=no]
  --enable-full-report	  report values of all configure options
@ -11470,7 +11480,6 @@ yes)
 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
 	test "${with_atf+set}" = set || with_atf=yes
-	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
 	test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
 	test "${enable_symtable+set}" = set || enable_symtable=all
 	test "${enable_warn_error+set}" = set || enable_warn_error=yes
@ -20944,28 +20953,6 @@ $as_echo "#define USE_DNSRPS 1" >>confdefs.h

 fi

-#
-# Activate "filter-aaaa-on-v4/v6" or not?
-#
-# Check whether --enable-filter-aaaa was given.
-if test "${enable_filter_aaaa+set}" = set; then :
-  enableval=$enable_filter_aaaa; enable_filter="$enableval"
-else
-  enable_filter="no"
-fi
-
-case "$enable_filter" in
-	yes)
-
-$as_echo "#define ALLOW_FILTER_AAAA 1" >>confdefs.h
-
-		;;
-	no)
-		;;
-	*)
-		;;
-esac
-
 #
 # Activate dnstap?
 #
@ -26238,8 +26225,6 @@ report() {
        echo "    DNS Response Policy Service interface (--enable-dnsrps)"
    test "yes" = "$enable_fixed" && \
        echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
-    test "yes" = "$enable_filter" && \
-        echo "    AAAA filtering (--enable-filter-aaaa)"
    test "yes" = "$enable_seccomp" && \
        echo "    Use libseccomp system call filtering (--enable-seccomp)"
    test "yes" = "$want_backtrace" && \
--- a/configure.in
+++ b/configure.in
@ -66,7 +66,6 @@ yes)
 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
 	test "${with_atf+set}" = set || with_atf=yes
-	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
 	test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
 	test "${enable_symtable+set}" = set || enable_symtable=all
 	test "${enable_warn_error+set}" = set || enable_warn_error=yes
@ -4413,24 +4412,6 @@ if test "x$enable_dnsrps" != "xno"; then
 	AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])
 fi

-#
-# Activate "filter-aaaa-on-v4/v6" or not?
-#
-AC_ARG_ENABLE(filter-aaaa,
-	[  --enable-filter-aaaa    enable filtering of AAAA records [[default=no]]],
-			enable_filter="$enableval",
-			enable_filter="no")
-case "$enable_filter" in
-	yes)
-		AC_DEFINE(ALLOW_FILTER_AAAA, 1,
-			  [Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.])
-		;;
-	no)
-		;;
-	*)
-		;;
-esac
-
 #
 # Activate dnstap?
 #
@ -5481,8 +5462,6 @@ report() {
        echo "    DNS Response Policy Service interface (--enable-dnsrps)"
    test "yes" = "$enable_fixed" && \
        echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
-    test "yes" = "$enable_filter" && \
-        echo "    AAAA filtering (--enable-filter-aaaa)"
    test "yes" = "$enable_seccomp" && \
        echo "    Use libseccomp system call filtering (--enable-seccomp)"
    test "yes" = "$want_backtrace" && \
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -6714,10 +6714,7 @@ options {
 	      <term><command>filter-aaaa-on-v4</command></term>
 	      <listitem>
 		<para>
-		  This option is only available when
-		  <acronym>BIND</acronym> 9 is compiled with the
-		  <userinput>--enable-filter-aaaa</userinput> option on the
-		  "configure" command line.  It is intended to help the
+		  This option is intended to help the
 		  transition from IPv4 to IPv6 by not giving IPv6 addresses
 		  to DNS clients unless they have connections to the IPv6
 		  Internet.  This is not recommended unless absolutely
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -693,6 +693,13 @@
 	  catagory.
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  The <command>filter-aaaa-on-v4</command> and
+	  <command>filter-aaaa-on-v6</command> options are no longer
+	  conditionally compiled in <command>named</command>. [RT #46340]
+	</para>
+      </listitem>
    </itemizedlist>
  </section>

--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@ -176,9 +176,7 @@ typedef int dns_messagetextflag_t;
 						      additional section. */
 #define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/*%< prefer AAAA records in
 						  additional section. */
-#ifdef ALLOW_FILTER_AAAA
 #define DNS_MESSAGERENDER_FILTER_AAAA	0x0020	/*%< filter AAAA records */
-#endif

 typedef struct dns_msgblock dns_msgblock_t;

--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@ -1897,7 +1897,6 @@ wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
 	return (ISC_TRUE);
 }

-#ifdef ALLOW_FILTER_AAAA
 /*
 * Decide whether to not answer with an AAAA record and its RRSIG
 */
@ -1939,7 +1938,6 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,

 	return (ISC_TRUE);
 }
-#endif

 static isc_result_t
 renderset(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
@ -2100,13 +2098,14 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 						      preferred_glue))
 					goto next;

-#ifdef ALLOW_FILTER_AAAA
 				/*
 				 * Suppress AAAAs if asked and we are
 				 * not doing DNSSEC or are breaking DNSSEC.
 				 * Say so in the AD bit if we break DNSSEC.
 				 */
-				if (norender_rdataset(rdataset, options, sectionid)) {
+				if (norender_rdataset(rdataset, options,
+						      sectionid))
+				{
 					if (sectionid == DNS_SECTION_ANSWER ||
 					    sectionid == DNS_SECTION_AUTHORITY)
 					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
@ -2115,7 +2114,6 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 					goto next;
 				}

-#endif
 				st = *(msg->buffer);

 				count = 0;
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -1895,18 +1895,9 @@ view_clauses[] = {
 	{ "fetch-quota-params", &cfg_type_fetchquota, 0 },
 	{ "fetches-per-server", &cfg_type_fetchesper, 0 },
 	{ "fetches-per-zone", &cfg_type_fetchesper, 0 },
-#ifdef ALLOW_FILTER_AAAA
 	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
 	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
 	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
-#else
-	{ "filter-aaaa", &cfg_type_bracketed_aml,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
 	{ "glue-cache", &cfg_type_boolean, 0 },
 	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
 	{ "lame-ttl", &cfg_type_ttlval, 0 },
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@ -1096,7 +1096,6 @@ client_send(ns_client_t *client) {
 			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
 	}

-#ifdef ALLOW_FILTER_AAAA
 	/*
 	 * filter-aaaa-on-v4 yes or break-dnssec option to suppress
 	 * AAAA records.
@ -1113,7 +1112,6 @@ client_send(ns_client_t *client) {
 		if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
 			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
 	}
-#endif

 	/*
 	 * Create an OPT for our reply.
@ -3033,9 +3031,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->interface = NULL;
 	client->peeraddr_valid = ISC_FALSE;
 	dns_ecs_init(&client->ecs);
-#ifdef ALLOW_FILTER_AAAA
 	client->filter_aaaa = dns_aaaa_ok;
-#endif
 	client->needshutdown = ISC_TF((client->sctx->options &
 				       NS_SERVER_CLIENTTEST) != 0);

--- a/lib/ns/include/ns/client.h
+++ b/lib/ns/include/ns/client.h
@ -141,9 +141,7 @@ struct ns_client {
 	struct in6_pktinfo	pktinfo;
 	isc_dscp_t		dscp;
 	isc_event_t		ctlevent;
-#ifdef ALLOW_FILTER_AAAA
 	dns_aaaa_t		filter_aaaa;
-#endif
 	/*%
 	 * Information about recent FORMERR response(s), for
 	 * FORMERR loop avoidance.  This is separate for each
@ -180,10 +178,8 @@ typedef ISC_LIST(ns_client_t) client_list_t;
 #define NS_CLIENTATTR_MULTICAST		0x00008 /*%< recv'd from multicast */
 #define NS_CLIENTATTR_WANTDNSSEC	0x00010 /*%< include dnssec records */
 #define NS_CLIENTATTR_WANTNSID		0x00020 /*%< include nameserver ID */
-#ifdef ALLOW_FILTER_AAAA
 #define NS_CLIENTATTR_FILTER_AAAA	0x00040 /*%< suppress AAAAs */
 #define NS_CLIENTATTR_FILTER_AAAA_RC	0x00080 /*%< recursing for A against AAAA */
-#endif
 #define NS_CLIENTATTR_WANTAD		0x00100 /*%< want AD in response if possible */
 #define NS_CLIENTATTR_WANTCOOKIE	0x00200 /*%< return a COOKIE */
 #define NS_CLIENTATTR_HAVECOOKIE	0x00400 /*%< has a valid COOKIE */
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -1832,9 +1832,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
 	}

 	if (qtype == dns_rdatatype_a) {
-#ifdef ALLOW_FILTER_AAAA
 		isc_boolean_t have_a = ISC_FALSE;
-#endif

 		/*
 		 * We now go looking for A and AAAA records, along with
@ -1873,9 +1871,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
 				dns_rdataset_disassociate(sigrdataset);
 		} else if (result == ISC_R_SUCCESS) {
 			mname = NULL;
-#ifdef ALLOW_FILTER_AAAA
 			have_a = ISC_TRUE;
-#endif
 			if (additionaltype == dns_rdatasetadditional_fromcache &&
 			    (DNS_TRUST_PENDING(rdataset->trust) ||
 			     DNS_TRUST_GLUE(rdataset->trust)) &&
@ -1935,14 +1931,12 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
 			/*
 			 * There's an A; check whether we're filtering AAAA
 			 */
-#ifdef ALLOW_FILTER_AAAA
 			if (have_a &&
 			    (client->filter_aaaa == dns_aaaa_break_dnssec ||
 			    (client->filter_aaaa == dns_aaaa_filter &&
 			     (!WANTDNSSEC(client) || sigrdataset == NULL ||
 			      !dns_rdataset_isassociated(sigrdataset)))))
 				goto addname;
-#endif
 			if (additionaltype == dns_rdatasetadditional_fromcache &&
 			    (DNS_TRUST_PENDING(rdataset->trust) ||
 			     DNS_TRUST_GLUE(rdataset->trust)) &&
@ -2071,13 +2065,11 @@ query_addrdataset(ns_client_t *client, dns_section_t section,
 		if (dbversion == NULL)
 			goto regular;

-#ifdef ALLOW_FILTER_AAAA
 		if (client->filter_aaaa == dns_aaaa_filter ||
 		    client->filter_aaaa == dns_aaaa_break_dnssec)
 		{
 			options |= DNS_RDATASETADDGLUE_FILTERAAAA;
 		}
-#endif

 		result = dns_rdataset_addglue(rdataset, dbversion->version,
 					      options, client->message);
@ -4553,7 +4545,6 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 	return;
 }

-#ifdef ALLOW_FILTER_AAAA
 static isc_boolean_t
 is_v4_client(ns_client_t *client) {
 	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
@ -4571,7 +4562,6 @@ is_v6_client(ns_client_t *client) {
 		return (ISC_TRUE);
 	return (ISC_FALSE);
 }
-#endif

 static isc_uint32_t
 dns64_ttl(dns_db_t *db, dns_dbversion_t *version) {
@ -6522,7 +6512,6 @@ query_respond_any(query_ctx_t *qctx) {
 	dns_rdatasetiter_t *rdsiter = NULL;
 	isc_result_t result;
 	dns_rdatatype_t onetype = 0; 	/* type to use for minimal-any */
-#ifdef ALLOW_FILTER_AAAA
 	isc_boolean_t have_aaaa, have_a, have_sig;

 	/*
@ -6533,7 +6522,6 @@ query_respond_any(query_ctx_t *qctx) {
 	have_aaaa = ISC_FALSE;
 	have_a = !qctx->authoritative;
 	have_sig = ISC_FALSE;
-#endif

 	result = dns_db_allrdatasets(qctx->db, qctx->node,
 				     qctx->version, 0, &rdsiter);
@ -6561,7 +6549,6 @@ query_respond_any(query_ctx_t *qctx) {
 	result = dns_rdatasetiter_first(rdsiter);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, qctx->rdataset);
-#ifdef ALLOW_FILTER_AAAA
 		/*
 		 * Notice the presence of A and AAAAs so
 		 * that AAAAs can be hidden from IPv4 clients.
@ -6572,7 +6559,7 @@ query_respond_any(query_ctx_t *qctx) {
 			else if (qctx->rdataset->type == dns_rdatatype_a)
 				have_a = ISC_TRUE;
 		}
-#endif
+
 		/*
 		 * We found an NS RRset; no need to add one later.
 		 */
@ -6619,10 +6606,8 @@ query_respond_any(query_ctx_t *qctx) {
 			    qctx->rdataset->type == qctx->qtype) &&
 			   qctx->rdataset->type != 0)
 		{
-#ifdef ALLOW_FILTER_AAAA
 			if (dns_rdatatype_isdnssec(qctx->rdataset->type))
 				have_sig = ISC_TRUE;
-#endif

 			if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client))
 			{
@ -6689,7 +6674,6 @@ query_respond_any(query_ctx_t *qctx) {
 		result = dns_rdatasetiter_next(rdsiter);
 	}

-#ifdef ALLOW_FILTER_AAAA
 	/*
 	 * Filter AAAAs if there is an A and there is no signature
 	 * or we are supposed to break DNSSEC.
@ -6700,7 +6684,7 @@ query_respond_any(query_ctx_t *qctx) {
 		 have_aaaa && have_a &&
 		 (!have_sig || !WANTDNSSEC(qctx->client)))
 		  qctx->client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
-#endif
+
 	if (qctx->fname != NULL)
 		dns_message_puttempname(qctx->client->message, &qctx->fname);

@ -6813,7 +6797,6 @@ query_getexpire(query_ctx_t *qctx) {
 	}
 }

-#ifdef ALLOW_FILTER_AAAA
 /*
 * Optionally hide AAAAs from IPv4 clients if there is an A.
 *
@ -6908,7 +6891,6 @@ query_filter_aaaa(query_ctx_t *qctx) {

 	return (ISC_R_COMPLETE);
 }
-#endif

 /*%
 * Build a repsonse for a "normal" query, for a type other than ANY,
@ -6947,11 +6929,9 @@ query_respond(query_ctx_t *qctx) {
 		return (query_done(qctx));
 	}

-#ifdef ALLOW_FILTER_AAAA
 	result = query_filter_aaaa(qctx);
 	if (result != ISC_R_COMPLETE)
 		return (result);
-#endif
 	/*
 	 * Check to see if the AAAA RRset has non-excluded addresses
 	 * in it.  If not look for a A RRset.
@ -8853,14 +8833,12 @@ query_coveringnsec(query_ctx_t *qctx) {
 		if (qctx->type == dns_rdatatype_any) {	/* XXX not yet */
 			goto cleanup;
 		}
-#ifdef ALLOW_FILTER_AAAA
 		if (qctx->client->filter_aaaa != dns_aaaa_ok &&
 		    (qctx->type == dns_rdatatype_a ||
 		     qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
 		{
 			goto cleanup;
 		}
-#endif
 		if (!ISC_LIST_EMPTY(qctx->client->view->dns64) &&
 		    (qctx->type == dns_rdatatype_a ||
 		     qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
@ -8925,14 +8903,12 @@ query_coveringnsec(query_ctx_t *qctx) {
 		if (qctx->type == dns_rdatatype_any) {	/* XXX not yet */
 			goto cleanup;
 		}
-#ifdef ALLOW_FILTER_AAAA
 		if (qctx->client->filter_aaaa != dns_aaaa_ok &&
 		    (qctx->type == dns_rdatatype_a ||
 		     qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
 		{
 			goto cleanup;
 		}
-#endif
 		if (!ISC_LIST_EMPTY(qctx->client->view->dns64) &&
 		    (qctx->type == dns_rdatatype_a ||
 		     qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
@ -9471,7 +9447,6 @@ query_prepresponse(query_ctx_t *qctx) {
 		qctx->need_wildcardproof = ISC_TRUE;
 	}

-#ifdef ALLOW_FILTER_AAAA
 	/*
 	 * The filter-aaaa-on-v4 option should suppress AAAAs for IPv4
 	 * clients if there is an A; filter-aaaa-on-v6 option does the same
@ -9495,7 +9470,6 @@ query_prepresponse(query_ctx_t *qctx) {
 			qctx->client->filter_aaaa = qctx->client->view->v6_aaaa;
 	}

-#endif

 	if (qctx->type == dns_rdatatype_any) {
 		return (query_respond_any(qctx));
--- a/win32utils/Configure
+++ b/win32utils/Configure
@ -219,7 +219,6 @@ my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
 my %configdefh;

 my @substdefh = ("AES_CC",
-                 "ALLOW_FILTER_AAAA",
                 "CONFIGARGS",
                 "DNS_RDATASET_FIXED",
                 "ENABLE_RPZ_NSDNAME",
@ -451,7 +450,6 @@ my @help = (
 "  enable-crypto-rand    use crypto provider for random [default=yes]\n",
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
-"  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
 "  enable-fixed-rrset    enable fixed rrset ordering [default=no]\n",
 "  enable-developer      enable developer build settings [default=no]\n",
 "  enable-querytrace     enable very verbose query trace [default=no]\n",
@ -496,7 +494,6 @@ my $cryptolib = "";
 my $enable_native_pkcs11 = "no";
 my $enable_crypto_rand = "yes";
 my $enable_openssl_hash = "auto";
-my $enable_filter_aaaa = "yes";
 my $enable_isc_spnego = "yes";
 my $enable_fixed_rrset = "no";
 my $enable_developer = "no";
@ -717,10 +714,6 @@ sub myenable {
        if ($val =~ /^no$/i) {
            $enable_isc_spnego = "no";
        }
-    } elsif ($key =~ /^filter-aaaa$/i) {
-        if ($val =~ /^no$/i) {
-            $enable_filter_aaaa = "no";
-        }
    } elsif ($key =~ /^fixed-rrset$/i) {
        if ($val =~ /^yes$/i) {
            $enable_fixed_rrset = "yes";
@ -755,7 +748,6 @@ sub myenable {

 if ($enable_developer eq "yes") {
    $configdefh{"ISC_LIST_CHECKINIT"} = 1;
-    $enable_filter_aaaa = "yes";
    $enable_querytrace = "yes";
    # no atf on WIN32
    $enable_fixed_rrset = "yes";
@ -1005,11 +997,6 @@ if ($verbose) {
    } else {
        print "isc-spnego: disabled\n";
    }
-    if ($enable_filter_aaaa eq "yes") {
-        print "filter-aaaa: enabled\n";
-    } else {
-        print "filter-aaaa: disabled\n";
-    }
    if ($enable_fixed_rrset eq "yes") {
        print "fixed-rrset: enabled\n";
    } else {
@ -1409,11 +1396,6 @@ if ($enable_native_pkcs11 eq "yes") {
    }
 }

-# enable-filter-aaaa
-if ($enable_filter_aaaa eq "yes") {
-    $configdefh{"ALLOW_FILTER_AAAA"} = 1;
-}
-
 # enable-fixed-rrset
 if ($enable_fixed_rrset eq "yes") {
    $configdefh{"DNS_RDATASET_FIXED"} = 1;
@ -3413,7 +3395,6 @@ exit 0;
 #  --enable-querytrace supported
 #  --disable-rpz-nsip supported
 #  --disable-rpz-nsdname supported
-#  --enable-filter-aaaa supported
 #  --enable-full-report supported by verbose
 #  --enable-dnstap not supported (requires libfstrm support on WIN32)
 #  --enable-seccomp not supported (Linux specific)