modules/dns64: document the new features

diff --git a/modules/dns64/README.rst b/modules/dns64/README.rst
index feceb1ccc3a4b9b184e064d135447d71a19c9718..07908c80b6852ab442dc77c7fa3b837a8f2eb2bd 100644 (file)
--- a/modules/dns64/README.rst
+++ b/modules/dns64/README.rst
@@ -8,21 +8,52 @@ DNS64
 The module for :rfc:`6147` DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written `introduction`_ in the PowerDNS documentation.
 If no address is passed (i.e. ``nil``), the well-known prefix ``64:ff9b::`` is used.
 
+.. _introduction: https://doc.powerdns.com/md/recursor/dns64
+
+Simple example
+--------------
+
+.. code-block:: lua
+
+       -- Load the module with default settings
+       modules = { 'dns64' }
+       -- Reconfigure later
+       dns64.config({ prefix = '2001:db8::aabb:0:0' })
+
 .. warning:: The module currently won't work well with :func:`policy.STUB`.
-   Also, the IPv6 passed in configuration is assumed to be ``/96``, and
-   PTR synthesis and "exclusion prefixes" aren't implemented.
+   Also, the IPv6 ``prefix`` passed in configuration is assumed to be ``/96``.
 
 .. tip:: The A record sub-requests will be DNSSEC secured, but the synthetic AAAA records can't be. Make sure the last mile between stub and resolver is secure to avoid spoofing.
 
-Example configuration
----------------------
+
+Advanced options
+----------------
+
+TTL in CNAME generated in the reverse ``ip6.arpa.`` subtree is configurable:
 
 .. code-block:: lua
 
-       -- Load the module with a NAT64 address
-       modules = { dns64 = 'fe80::21b:77ff:0:0' }
-       -- Reconfigure later
-       dns64.config('fe80::21b:aabb:0:0')
+   dns64.config({ prefix = '2001:db8:77ff::', rev_ttl = 300 })
 
+You can specify a set of IPv6 subnets that are disallowed in answer.
+If they appear, they will be replaced by AAAAs generated from As.
+
+.. code-block:: lua
+
+   dns64.config({
+       prefix = '2001:db8:3::',
+       exclude_subnets = { '2001:db8:888::/48', '::ffff/96' },
+   })
+   -- You could even pass '::/0' to always force using generated AAAAs.
+
+In case you don't want dns64 for all clients,
+you can set ``DNS64_DISABLE`` flag via the :ref:`view module <mod-view>`.
+
+.. code-block:: lua
+
+    modules = { 'dns64', 'view' }
+    -- Disable dns64 for everyone, but re-enable it for two particular subnets.
+    view:addr('::/0', policy.all(policy.FLAGS('DNS64_DISABLE')))
+    view:addr('2001:db8:11::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE')))
+    view:addr('2001:db8:93::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE')))
 
-.. _introduction: https://doc.powerdns.com/md/recursor/dns64