Indeed. I usually use the initial /64 for small sites, and that's it, but larger sites that I manage with the routed /48 I usually use the /64 for the DMZ just to make firewall rules simpler/cleaner. On those sites, where the /64 is the DMZ, I was able to confirm that the Google search homepage was giving a 403 Unauthorized from anything on the /64.
Just to be clear, even if you have a routed /48, the /64 still associated with the tunnel may still be blocked. For me, in all of the networks I manage, the /64 is blocked.
The prevailing guess is HE.net carved up a /48 or /32 for those initial /64s and Google is blocking whatever larger block they all come from. The routed /48s must be from a different block.
There was a suggestion that it was rDNS dependent, but on those sites with a routed /48 the SLAAC hosts on the /48 had no issues, and the hosts on the /64 that got 403'ed all had static rDNS that matched their FQDNs. Definitely not rDNS related.
Just to be clear, even if you have a routed /48, the /64 still associated with the tunnel may still be blocked. For me, in all of the networks I manage, the /64 is blocked.
The prevailing guess is HE.net carved up a /48 or /32 for those initial /64s and Google is blocking whatever larger block they all come from. The routed /48s must be from a different block.
There was a suggestion that it was rDNS dependent, but on those sites with a routed /48 the SLAAC hosts on the /48 had no issues, and the hosts on the /64 that got 403'ed all had static rDNS that matched their FQDNs. Definitely not rDNS related.