coredns: fix ENOTFOUND for own zone, enable dns64 for IPv4 clients

Two Corefile changes:
- Add lumpiasty.xyz server block without dns64. Replaces the manual
  RouterOS static FWD entry (\"bypass nat64\") which returned NOERROR
  with empty answer instead of relaying NXDOMAIN. Combined with
  ndots:5 and pod search domains this made getaddrinfo stop at the
  search-suffixed candidate and fail with ENOTFOUND for valid names
  (kaneo -> authentik OAuth fetch failures). CoreDNS relays rcodes
  faithfully; internal zone keeps real AAAA for native IPv6.
- Add allow_ipv4 to dns64 (previously uncommitted): without it only
  queries arriving over IPv6 are synthesized, but all clients reach
  CoreDNS via RouterOS over IPv4, so translate_all never applied.
The RouterOS static FWD entry must be removed after deploying the new
image - ansible already declares only the ts.net entry, so a playbook
run handles it.

ansible/roles/routeros/tasks/base.yml

@@ -192,11 +192,12 @@
         forward-to: 100.100.100.100
         match-subdomain: true
         comment: Tailscale MagicDNS
-      - name: lumpiasty.xyz
-        type: FWD
-        forward-to: 1.1.1.1
-        match-subdomain: true
-        comment: lumpiasty.xyz bypass nat64
+      # Do NOT add a lumpiasty.xyz FWD entry here. RouterOS FWD entries return
+      # NOERROR with an empty answer instead of relaying NXDOMAIN, which breaks
+      # getaddrinfo search-domain processing (ENOTFOUND for valid names in k8s
+      # pods). The DNS64 bypass for our own zone lives in the CoreDNS Corefile
+      # (mikrotik/coredns/Corefile, lumpiasty.xyz server block) which relays
+      # rcodes correctly. See docs/coredns-nat64.md pitfall #4.
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible