Document desired DNS674 behaviour and tweak implementation to adhere to docs.

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 0d36ee09e5037bccd6048377f4441ce5aa794f18..5e4bcd7fc7fac5983aab1950e43142c52269adbd 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1176,15 +1176,18 @@ void startDoResolve(void* p)
         }
       }
 
+      bool luaHookHandled = false;
       if (dc->d_luaContext) {
         PolicyResult policyResult = PolicyResult::NoAction;
         if (answerIsNOData(dc->d_mdp.d_qtype, res, ret)) {
           if (dc->d_luaContext->nodata(dq, res, sr.d_eventTrace)) {
+            luaHookHandled = true;
             shouldNotValidate = true;
             policyResult = handlePolicyHit(appliedPolicy, dc, sr, res, ret, pw, tcpGuard);
           }
         }
         else if (res == RCode::NXDomain && dc->d_luaContext->nxdomain(dq, res, sr.d_eventTrace)) {
+          luaHookHandled = true;
           shouldNotValidate = true;
           policyResult = handlePolicyHit(appliedPolicy, dc, sr, res, ret, pw, tcpGuard);
         }
@@ -1196,7 +1199,7 @@ void startDoResolve(void* p)
         }
       } // dc->d_luaContext
 
-      if (g_dns64Prefix && dc->d_mdp.d_qtype == QType::AAAA && !vStateIsBogus(dq.validationState) && dns64Candidate(dc->d_mdp.d_qtype, res, ret)) {
+      if (!luaHookHandled && g_dns64Prefix && dc->d_mdp.d_qtype == QType::AAAA && (!shouldNotValidate || !sr.isDNSSECValidationRequested() || !vStateIsBogus(dq.validationState)) && dns64Candidate(dc->d_mdp.d_qtype, res, ret)) {
         res = getFakeAAAARecords(dq.qname, *g_dns64Prefix, ret);
         shouldNotValidate = true;
       }

diff --git a/pdns/recursordist/docs/dns64.rst b/pdns/recursordist/docs/dns64.rst
index 1f7b9ff105f5190c29d33f51ff24d25bb5b73bfe..e6827b81f871a24cf2bf8a743d4de3ffc47dd8bc 100644 (file)
--- a/pdns/recursordist/docs/dns64.rst
+++ b/pdns/recursordist/docs/dns64.rst
@@ -10,6 +10,24 @@ We do this by retrieving the A records for ``www.example.com``, and translating
 Elsewhere, a NAT64 device listens on these IPv6 addresses, and extracts the IPv4 address from each packet, and proxies it on.
 
 As of 4.4.0, an efficient implementation is built the recursor and can be enabled via the using the :ref:`dns64-prefix setting <setting-dns64-prefix>`.
+
+Native DNS64 support
+--------------------
+Native DNS64 processing will happen after calling a ``nodata`` or ``nxdomain`` Lua hook (if defined), but before calling a ``postresolve`` or ``postresolve_ffi`` Lua hook (if defined).
+
+To consider native DNS64 processing the following conditions must be met:
+
+- The :ref:`setting-dns64-prefix` is defined.
+- A ``nodata`` or ``nxdomain`` Lua hook did not return ``true``.
+- The original query type was ``AAAA``.
+- The result code of the ``AAAA`` query was not ``NXDomain``.
+- No relevant answer was received: the result code was ``NoError`` with no relevant answer records, or an error unequal to ``NXDomain`` occurred.
+- If DNSSEC processing is requested the validation result was not ``Bogus``.
+
+Before version 4.8.0, only ``NoError`` results were considers candidates for DNS64 processing.
+
+Scripted DNS64 Support
+----------------------
 On earlier versions or for maximum flexibility, DNS64 support is included in the :doc:`lua-scripting/index`.
 This allows for example to hand out custom IPv6 gateway ranges depending on the location of the requestor, enabling the use of NAT64 services close to the user.