From: Vladimír Čunát Date: Tue, 10 Aug 2021 18:28:28 +0000 (+0200) Subject: modules/dns64: document the new features X-Git-Tag: v5.4.2~8^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92ccb9801322419adbff04f690458cb954db739c;p=thirdparty%2Fknot-resolver.git modules/dns64: document the new features --- diff --git a/modules/dns64/README.rst b/modules/dns64/README.rst index feceb1ccc..07908c80b 100644 --- a/modules/dns64/README.rst +++ b/modules/dns64/README.rst @@ -8,21 +8,52 @@ DNS64 The module for :rfc:`6147` DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written `introduction`_ in the PowerDNS documentation. If no address is passed (i.e. ``nil``), the well-known prefix ``64:ff9b::`` is used. +.. _introduction: https://doc.powerdns.com/md/recursor/dns64 + +Simple example +-------------- + +.. code-block:: lua + + -- Load the module with default settings + modules = { 'dns64' } + -- Reconfigure later + dns64.config({ prefix = '2001:db8::aabb:0:0' }) + .. warning:: The module currently won't work well with :func:`policy.STUB`. - Also, the IPv6 passed in configuration is assumed to be ``/96``, and - PTR synthesis and "exclusion prefixes" aren't implemented. + Also, the IPv6 ``prefix`` passed in configuration is assumed to be ``/96``. .. tip:: The A record sub-requests will be DNSSEC secured, but the synthetic AAAA records can't be. Make sure the last mile between stub and resolver is secure to avoid spoofing. -Example configuration ---------------------- + +Advanced options +---------------- + +TTL in CNAME generated in the reverse ``ip6.arpa.`` subtree is configurable: .. code-block:: lua - -- Load the module with a NAT64 address - modules = { dns64 = 'fe80::21b:77ff:0:0' } - -- Reconfigure later - dns64.config('fe80::21b:aabb:0:0') + dns64.config({ prefix = '2001:db8:77ff::', rev_ttl = 300 }) +You can specify a set of IPv6 subnets that are disallowed in answer. +If they appear, they will be replaced by AAAAs generated from As. + +.. code-block:: lua + + dns64.config({ + prefix = '2001:db8:3::', + exclude_subnets = { '2001:db8:888::/48', '::ffff/96' }, + }) + -- You could even pass '::/0' to always force using generated AAAAs. + +In case you don't want dns64 for all clients, +you can set ``DNS64_DISABLE`` flag via the :ref:`view module `. + +.. code-block:: lua + + modules = { 'dns64', 'view' } + -- Disable dns64 for everyone, but re-enable it for two particular subnets. + view:addr('::/0', policy.all(policy.FLAGS('DNS64_DISABLE'))) + view:addr('2001:db8:11::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE'))) + view:addr('2001:db8:93::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE'))) -.. _introduction: https://doc.powerdns.com/md/recursor/dns64