Thanks for the extra info @Oskar!
After reviewing the literature and consulting with a networking expert, we’re following @tialaramex’s advice and disabling validation requests to addresses that start with the 6to4 anycast prefix 2002::/16. This is effective now, through a firewall rule, and we’ll be adding it into Boulder so we can provide an earlier error message.
Our reasoning is exactly as @tialaramex says: If we send 6to4 requests to the anycast prefix, it’s too easy for an untrusted third party to advertise that prefix and MITM our validation requests. We could run a 6to4 gateway inside our own datacenter, but since the 6to4 anycast prefix is deprecated, we think it’s not worth the extra operational overhead to support a very small number of hosts.
My recommendation to anyone operating a host that only has a 6to4 address is to use the DNS validation method.