Fe80::/10 Not ACL'd in Unbound by default
I noticed that when attempting to query over link-local IPv6 that Unbound will reject queries by default.
Adding the following to /var/unbound/access_lists.conf via Access Lists corrected this:
access-control: fe80::/10 allow
I'm not sure if this is intentional to disallow link-local queries but since you can choose per-interface binding it would make sense to add this just like the other local IPv6 networks are added.
This is the behavior on 2.3.4-RELEASE-p1 but looking at /src/etc/inc/unbound.inc in sources it doesn't look like it'd get picked up in later unless get_staticroutes starts returning fe80::/10 in later version (which from looking at the code it doesn't appear to do.
If anyone has tested this on a later release (cat /var/unbound/access_lists.conf to verify) then this is moot ;)
It still isn't added by default on 2.4.
Usually the firewall would automatically hand out its own LAN IPv6 address to clients, not the LL address though. It's certainly possible to add code for that, but it may not be a good idea for it to be in by default. It could also allow LL queries from devices on the WAN subnet if rules were made improperly, which is what the ACLs in unbound are crafted to prevent.
If unbound supported interface scopes on access control lists then maybe it could be allowed but at least from the docs it does not appear to.
For example if igb0 is LAN and igb1 is WAN, then you'd have an access list allow from fe80::%igb0/10 which is scope-limited to LL on LAN and not other interfaces.