Messages

2000::1:1/64 and 2000::2:1/64 is the same network - 2000::/64. You shouldn't have the same network on two interfaces.

Cheers
Maurice

Sorry masked the ip's wrong in the example - have updated some more real

### TLDR ###

Clients can reach dnsmasq on all ipv4 addresses
Clients can only reach dnsmasq on it's uplink ipv6 address

####

I rule only dnsmasq and have dualstack ipv4 and ipv6.

If I have two interfaces

NET1
192.168.1.1/24
2000:1234:1::1/64

NET2
192.168.2.1/24
2000:1234:2::1/64


Then I experience following on a client on NET1

Works
nslookup ifconfig.co 192.168.1.1
nslookup ifconfig.co 2000:1234:1::1
nslookup ifconfig.co 192.168.2.1

Doesn't work
nslookup ifconfig.co 2000:1234:2::1

The same is happening the other way round if I do it from NET2

I can't see any firewall rules that should block it

To others facing this - I ended up ditching Unbound and go pure Dnsmasq

My setup right now is Unbound handling DNS.
I forward "example.com" to Dnsmasq with the setting (Forward First) and disallow Dnsmasq to use other nameservers.
This allows me to lookup serv01.example.com, that Dnsmaq replies with 192.168.1.10
And lookup serv02.example.com, that Dnsmasq does not know, and Unbound then asks out on the internet and get 80.80.80.80
Everything works - nearly.

Now If I ask for SSHFP records, that Dnsmasq does not know about. I get the records from cloudflare via Unbound, but Unbound does not set the flag
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server

Which makes ssh fails when using sshfp.

If I disable the forward to Dnsmasq everything sshfp works because now Unbound sets, but I can no longer lookup local ip's
.... .... ..1. .... = Answer authenticated: Answer/authority portion was authenticated by the server