From 9f36aef24cac3890e24e57d1821f7ede5e34ff8e Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 6 Apr 2011 04:20:58 +0000
Subject: [PATCH] 3094.   [doc]           Expand dns64 documentation.

---
 CHANGES                 |  2 ++
 doc/arm/Bv9ARM-book.xml | 32 +++++++++++++++++++++++++-------
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9c73acb2e3..c3368a9c3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3094.	[doc]		Expand dns64 documentation.
+
 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 
 3092.	[bug]		Signatures for records at the zone apex could go
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 3c65f5398c..21467e81c2 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.483 2011/03/21 07:22:12 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.484 2011/04/06 04:20:58 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -5801,12 +5801,15 @@ options {
 		<userinput>any;</userinput>.
 	      </para>
 	      <para>
-		Each <command>dns64</command> supports an optional
-		<command>exclude</command> ACL that selects which
-		IPv6 addresses will be ignored for the purposes
-		of determining whether dns64 is to be applied.
-                Any non-matching address will prevent further
-		DNS64 processing from occurring for this client.
+		Normally, DNS64 won't apply to a domain name that
+		owns one or more AAAA records; these records will
+		simply be returned.  The optional
+		<command>exclude</command> ACL allows specification
+		of a list of IPv6 addresses that will be ignored
+		if they appear in a domain name's AAAA records, and
+		DNS64 will be applied to any A records the domain
+		name owns.  If not defined, <command>exclude</command>
+		defaults to none.
 	      </para>
 	      <para>
 		A optional <command>suffix</command> can also
@@ -5816,6 +5819,21 @@ options {
 		matching the prefix and mapped IPv4 address
 		must be zero.
 	      </para>
+	      <para>
+		If <command>recursive-only</command> is set to
+		<command>yes</command> the DNS64 synthesis will
+		only happen for recursive queries.  The default
+		is <command>no</command>.
+	      </para>
+	      <para>
+		If <command>break-dnssec</command> is set to
+		<command>yes</command> the DNS64 synthesis will
+		happen even if the result, if validated, would
+		cause a DNSSEC validation failure.  If this option
+		is set to <command>no</command> (the default), the DO
+		is set on the incoming query, and there are RRSIGs on
+		the applicable records, then synthesis will not happen.
+	      </para>
 <programlisting>
 	acl rfc1918 { 10/8; 192.168/16; 172.16/12; };