From reading Problems validating IPv6 against host running 6to4 - #11 by cpu it seems that issuance for sites with 6to4 addresses was banned. Unfortunately, I need to operate services on networks where the only publicly routable addresses available are 6to4, and just spent a long time trying to track down why I was getting the error "no valid IP addresses found". Up til now I've been running with self-signed certificates, but some clients will not accept that, and of course it's not providing any security against active attackers, so I'd really like to upgrade to using certificates signed by a CA.
I don't think there's any valid security argument against accepting 6to4, as any impact is limited only to sites whose AAAA records point to 6to4 addresses. Surely the alternative of not being able to obtain certificates at all, and using plain http or a self-signed certificate, is far worse.
Using dns-01 instead of http-01 is not really an option for me, as I use DNSSEC with a fully offline signing process, meaning there's no way for automated processes to add records. I would really welcome a DNSSEC-friendly validation process (e.g. issuance of a cert for any CSR with key matching the TLSA record, without further challenges needed) but that's outside the scope of the immediate problem here I think.
Could support for 6to4 addresses please be reinstated?