Two Corefile changes:
- Add lumpiasty.xyz server block without dns64. Replaces the manual
RouterOS static FWD entry (\"bypass nat64\") which returned NOERROR
with empty answer instead of relaying NXDOMAIN. Combined with
ndots:5 and pod search domains this made getaddrinfo stop at the
search-suffixed candidate and fail with ENOTFOUND for valid names
(kaneo -> authentik OAuth fetch failures). CoreDNS relays rcodes
faithfully; internal zone keeps real AAAA for native IPv6.
- Add allow_ipv4 to dns64 (previously uncommitted): without it only
queries arriving over IPv6 are synthesized, but all clients reach
CoreDNS via RouterOS over IPv4, so translate_all never applied.
The RouterOS static FWD entry must be removed after deploying the new
image - ansible already declares only the ts.net entry, so a playbook
run handles it.
Lumpiasty
