Update IPv6 documentation

docs/networking/ipv6.md

@@ -21,6 +21,17 @@ Subnet IPv6 CIDR allocations may be specified in the cluster spec using the spec
 where "LEN" is the prefix length and "N" is the hexadecimal sequence number of the CIDR within the VPC's IPv6 CIDR.
 For example, if the VPC's CIDR is `2001:db8::/56` then the syntax `/64#a` would mean `2001:db8:0:a/64`.
 
+## Routing and NAT64
+
+Managed private and public subnets which have `IPv6CIDR` assignments route `64:ff9b::/96` (NAT64) to whatever is specified in the
+`egress` field of the subnet's spec, defaulting the availability zone's NAT Gateway.
+
+If a NAT Gateway is thus needed by a managed public subnet and there are no utility subnets in that availability zone,
+the NAT Gateway will be placed in the first-listed public subnet in that zone.
+
+The managed private subnets route the rest of outbound IPv6 traffic to the VPC's Egress-only Internet Gateway.
+The managed public subnets route the rest of outbound IPv6 traffic to the VPC's Internet Gateway.
+
 ## CNI
 
 kOps currently supports IPv6 on Calico, Cilium, and bring-your-own CNI only.
@@ -34,4 +45,9 @@ Running IPv6 with Calico requires a Debian 11-based AMI. As of the writing of th
 
 ## Future work
 
-* kOps currently does not have a solution for NAT64/DNS64.
+* The AWS Cloud Controller Manager does not, as of the writing of this document, [support Resource Based Names](https://github.com/kubernetes/cloud-provider-aws/pull/286).
+This blocks supporting IPv6-only subnets.
+
+* NodeLocalDNS does not, as of the writing of this document, [support DNS64](https://github.com/kubernetes/dns/pull/489).
+
+* External-DNS does not, as of the writing of this document, support registering AAAA records.