I have a dual-stack IPv4/IPv6 server on which I run NSD. However, without adding the "ip-address" option in nsd.conf, NSD does not respond to IPv6 queries. It does respond to IPv4 queries. Also, it does respond to requests from the same machine to ::1.
Below you can see that the NSD is indeed listening to UDP port 53 on IPv6 on the wildcard address:
root@lewis:/etc/nsd# ss -ulpn sport inet6:53
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 [::]:53 [::]:* users:(("nsd: server 4",pid=16052,fd=4),("nsd: server 3",pid=16051,fd=4),("nsd: server 2",pid=16050,fd=4),("nsd: server 1",pid=16049,fd=4),("nsd: main",pid=16048,fd=4),("nsd: xfrd",pid=16046,fd=4))
If you don't configure NSD to bind to a specific IPv6 address, then when it is constructing a DNS response packet, it doesn't set the source address in it. It passes the packet to the OS, which then selects a route for the packet, and sets the source address appropriate for that route. If you have multiple interfaces on the server, or multiple IPv6 addresses on an interface, then the OS can pick the wrong one, and the client will receive a DNS reply from an address it wasn't expecting, and probably discard it.
It is good practice to make your NSD server bind explicitly to the addresses that it's supposed to listen to and reply from.
Thank you for your reply, I understand the problem better now. I used Wireshark and indeed the packets were being returned from the wrong address. For some reason, my server is getting a second globally routable /128 IPv6 address in the prefix that is advertised by my router. Would you happen to know what could be causing this?
Curiously, if I tell NSD to use my main NIC, which has two global IPv6 addresses as said above, it will always pick the correct one (so not the /128 one).
Alternatively, If your IP stack is static and you only have one IPv4 and
one IPv6, then you can use do-ip4 and do-ip6 and you don't need to
specify specific IP addresses in nsd.conf
If you're using SLAAC, this is most likely privacy addresses.
(Some software has a way to bind to 0.0.0.0 / :: and copy the
destination address from the request as the source address of the
response, e.g. interface-automatic in unbound, but NSD doesn't do
that).