[Dagger2]

Privacy extensions are additional addresses that are used by default for outbound connections. You still have the non-privacy address, which doesn't change; put that one into DNS.

This approach prevents outbound connections from leaking the address needed to connect to your servers. On v4, it's likely that any outbound connection from your network gives the server the IP they need to do that.

[menotyou]

My ISP changes the prefix on a regular base (and on request)

[dlitz]

> My ISP changes the prefix on a regular base (and on request)

I found this was the case (with Telus) until I reconfigured the DHCPv6-PD client on my gateway, mainly to stop it from sending DHCPv6 Release messages and to have it explicitly request the prefix I was previously assigned.

OpenWRT in particular seemed to be built not to save any dhcp client state in non-volatile memory, resulting in a lot of unnecessary address and prefix churn when rebooting the router. I've had the same stable prefix for over a year now, using systemd-networkd with the following configuration (the important parts are SendRelease=no, RequestAddress= and PrefixDelegationHint=; the rest of the options are just insurance):

https://gist.github.com/dlitz/487d733140aa784559d73e4cd6f723...

[Dagger2]

So you'll never have a permanent unchanging v6 address to ID your traffic with.

Privacy extensions are orthogonal here; they only affect the suffix, not the prefix. As for dealing with a changing prefix... I'm afraid you'll just have to find some way to automate the DNS updates. You can do it with a program running on one of the servers -- I can't suggest a specific one offhand since I have a static prefix and haven't needed it, but they do exist.