I think I have exactly the same problem as described here. But I need my ULA-Prefix (for evil NAT6 purposes since Mullvad only give me a /128). I'm thinking about moving my Nests to an interface which assigns GUAs but not ULAs. Is this achievable? I guess something like this would work; whereby ip6class is used:
oddly, the 'iot' interface stopped dishing-out GUAs and ULAs with list ip6class 'wan6 wan' added. Must be something simple (syntax error) so will dig deeper.
thanks, @jbrossard; appreciate the extra info. Conincidentally, I was having trouble adding a new protect to my Nest account earlier today but was able to resolve it by changing DNS Servers. I'll do similarly (turning off DNSSEC) and keep an eye on it over the next few days.
I temporarily switched from CleanBrowsing.org to Google (8.8.8.8). When I've got a bit of time at the weekend, I'll probably switch to NextDNS; will let you know how it goes.
thanks. That's really helpful. Very similar to my set-up: Stubby for DoT but with Cleanbrowing's DNS servers. I've turned DNSSEC off on the router now, so hopefully that'll sort it out!
I see cleanbrowsing.org also enforces DNSSEC so doing it at the router is redundant, just like my setup with DNSSEC enabled was redundant when using Quad9.
I hope the Nest Protects stay online! I've been working on this issue for a week!