If a DNSSEC server has no zones with AAAA records. What potential problems could there be by dropping DNS type AAAA (28; 0x1c) queries at the firewall?
Same as dropping type ANY (255; 0xff). Just replace the type with AAAA (28; 0x1c).
All your clients would wait for a few seconds on every DNS lookup, for starters. IPv6 is not optional and modern operating systems treat it as such. A client looking for an address will look up both AAAA and A records, even if it does not seem to have any IPv6 connectivity at that exact moment. If you drop one of the queries, the client will wait until a timeout before going back to the application. You will thus annoy your users with a needless slowdown.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.