- Note 'respip' and 'dns64' module order in the unbound.conf

  man page.

diff --git a/doc/Changelog b/doc/Changelog
index d027c8ba1f4b18fe04ca8be8616bac0e8d4b7150..28b86fb45345413d9d62711da696f1f3d2749157 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+3 October 2025: Yorgos
+       - Note 'respip' and 'dns64' module order in the unbound.conf
+         man page.
+
 2 October 2025: Wouter
        - Fix that https is set up as enabled when the port is listed in
          interface-automatic-ports. Also for the set up of quic it is

diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst
index f9f2dea8a396be74f1ec4467006af963e1d8e10e..22c53620a715c9d1ebff8c61fcc28275276196da 100644 (file)
--- a/doc/unbound.conf.rst
+++ b/doc/unbound.conf.rst
@@ -3959,6 +3959,13 @@ and be compiled into the daemon to be enabled.
 .. note::
     These settings go in the :ref:`server:<unbound.conf.server>` section.
 
+.. note::
+    If combining the ``respip`` and ``dns64`` modules, the ``respip`` module
+    needs to appear before the ``dns64`` module in the
+    :ref:`module-config<unbound.conf.module-config>`
+    configuration option so that response IP and/or RPZ feeds can properly
+    filter responses regardless of DNS64 synthesis.
+
 
 @@UAHL@unbound.conf.dns64@dns64-prefix@@: *<IPv6 prefix>*
     This sets the DNS64 prefix to use to synthesize AAAA records with.
@@ -4777,6 +4784,13 @@ The respip module needs to be added to the
 
     module-config: "respip validator iterator"
 
+.. note::
+    If combining the ``respip`` and ``dns64`` modules, the ``respip`` module
+    needs to appear before the ``dns64`` module in the
+    :ref:`module-config<unbound.conf.module-config>`
+    configuration option so that response IP and/or RPZ feeds can properly
+    filter responses regardless of DNS64 synthesis.
+
 QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported.
 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
 and drop.