summaryrefslogtreecommitdiffstats
path: root/modules/dns64/README.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:26:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:26:00 +0000
commit830407e88f9d40d954356c3754f2647f91d5c06a (patch)
treed6a0ece6feea91f3c656166dbaa884ef8a29740e /modules/dns64/README.rst
parentInitial commit. (diff)
downloadknot-resolver-upstream.tar.xz
knot-resolver-upstream.zip
Adding upstream version 5.6.0.upstream/5.6.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/dns64/README.rst')
-rw-r--r--modules/dns64/README.rst62
1 files changed, 62 insertions, 0 deletions
diff --git a/modules/dns64/README.rst b/modules/dns64/README.rst
new file mode 100644
index 0000000..04d2427
--- /dev/null
+++ b/modules/dns64/README.rst
@@ -0,0 +1,62 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _mod-dns64:
+
+DNS64
+=====
+
+The module for :rfc:`6147` DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written `introduction`_ in the PowerDNS documentation.
+If no address is passed (i.e. ``nil``), the well-known prefix ``64:ff9b::`` is used.
+
+.. _introduction: https://doc.powerdns.com/md/recursor/dns64
+
+Simple example
+--------------
+
+.. code-block:: lua
+
+ -- Load the module with default settings
+ modules = { 'dns64' }
+ -- Reconfigure later
+ dns64.config({ prefix = '2001:db8::aabb:0:0' })
+
+.. warning:: The module currently won't work well with :func:`policy.STUB`.
+ Also, the IPv6 ``prefix`` passed in configuration is assumed to be ``/96``.
+
+.. tip:: The A record sub-requests will be DNSSEC secured, but the synthetic AAAA records can't be. Make sure the last mile between stub and resolver is secure to avoid spoofing.
+
+
+Advanced options
+----------------
+
+TTL in CNAME generated in the reverse ``ip6.arpa.`` subtree is configurable:
+
+.. code-block:: lua
+
+ dns64.config({ prefix = '2001:db8:77ff::', rev_ttl = 300 })
+
+You can specify a set of IPv6 subnets that are disallowed in answer.
+If they appear, they will be replaced by AAAAs generated from As.
+
+.. code-block:: lua
+
+ dns64.config({
+ prefix = '2001:db8:3::',
+ exclude_subnets = { '2001:db8:888::/48', '::ffff/96' },
+ })
+ -- You could even pass '::/0' to always force using generated AAAAs.
+
+In case you don't want dns64 for all clients,
+you can set ``DNS64_DISABLE`` flag via the :ref:`view module <mod-view>`.
+
+.. code-block:: lua
+
+ modules = { 'dns64', 'view' }
+ -- disable dns64 for all IPv4 source addresses
+ view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE')))
+ -- disable dns64 for all IPv6 source addresses
+ view:addr('::/0', policy.all(policy.FLAGS('DNS64_DISABLE')))
+ -- re-enable dns64 for two IPv6 subnets
+ view:addr('2001:db8:11::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE')))
+ view:addr('2001:db8:93::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE')))
+