DNS with IPv6 – Zone Transfer Denied

I almost forgot about the issue of zone transfer denials on the IPv6 capable DNS servers. However, setting up a DNS recently I hit the problem again and decided that a post on this topic might be  useful for someone to quickly find and fix the issue

If you are trying to set up a DNS with IPv6 support you might be unpleasantly surprised by the fact that as soon as you add in your named.conf:

options {

listen-on-v6 {any;};


you might start getting errors when your secondary server will try to transfer the zone.

The error will normally look like a simple denial:

security: error: client ::ffff: zone transfer ‘’ denied

You might have already noticed the difference. In a simple denial the client-server IP will be and will look like:

security: error: client zone transfer ‘’ denied

however as soon as you tell your server to listen on IPv6, the client IP will become a mapped IP: ::ffff: This does not happen though with all the versions of Bind, and is a known bug.

The issue is, that from ACL standpoint the and the ::ffff: are completely different clients, meaning that the second one will be denied as long as it is not in the ACL.

There are 2 workarounds for this issues.

Either you simply add the mapped client IP to the ACL like:

zone “example.com” IN {
type master;
file “example.com”;
allow-transfer {, ::ffff: };

or, you might use a workaround that looks like that:

options {
listen-on-v6 {any;};
match-mapped-addresses yes;

where the match-mapped-addresses yes; will make sure that the IPv6 mapped IPv4 clients will still be able to connect to the server.

According to http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html


If yes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. Enabling this option is sometimes useful on IPv6-enabled Linux systems, to work around a kernel quirk that causes IPv4 TCP connections such as zone transfers to be accepted on an IPv6 socket using mapped addresses, causing address match lists designed for IPv4 to fail to match. The use of this option for any other purpose is discouraged. 

Happy IPv6 deployment!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s