Thank you, it does work.

However, I cannot use it in my production environment as this returns NODATA globally (all views) for security.ubuntu.com.
I have several views not using dns64 for which the AAAA record should be the existing original answer.

So for now, unless there is a way to attach the policy-script to a specific view declared in my config.yaml, I still need to use this method based on the IPs rather than the fqdn:

dns64:
  enable: true
  exclude-subnets: [2620:2d:4002:1::102/128, 2620:2d:4000:1::103/128, 2620:2d:4000:1::101/128, 2620:2d:4002:1::101/128, 2620:2d:4002:1::103/128, 2a06:bc80:0:1000::16/128, 2a06:bc80:0:1000::18/128, 2a06:bc80:0:1000::17/128, 2620:2d:4000:1::102/128]

A setting like exclude-domains: [] would be ideal.

Regards,

Gabriel

Le 8 janv. 2026 à 18:07, Vladimír Čunát via knot-resolver-users <knot-resolver-users@lists.nic.cz> a écrit :


On 15/12/2025 10.28, Vladimír Čunát via knot-resolver-users wrote:
lua:
  policy-script: |
    assert(C.kr_rule_local_data_ins(
      kres.rrset(kres.str2dname('security.ubuntu.com.'), kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT),
      nil, 0, C.KR_RULE_OPTS_DEFAULT
    ) == 0)

So in 6.1.0 you can do this.

--