Certainly the RFCs I've looked at say that I shouldn't be returning private addresses to an internet client.
I recall seeing such a statement as well. I do not recall seeing an exact rationale behind it. One need to understand the rationale behind it, to figure out if it is really applicable to your situation.
My background is in general telecoms engineering rather than datacoms so at this stage I don't really know what I want... yet. All I'm really doing is experimenting in an attempt to learn how it all should/can work and that's the rub, if you know the terminology and that something is possible then it's easy enough to do a search and find things out but if you don't have those two things, you never know if you're not finding an answer because you've not yet asked the right question or if what you are trying to do is just not possible.
Whenever you are learning something new, it is a good idea to stop and ask questions once in a while.
I reasoned that there must be at least a few small and home networks with private NS doing ipv4 and now adding public ipv6 and it should be a common enough situation to warrant there being some pre-planned method of limiting who will see which once it goes public.
I haven't come across your exact question before. My own LAN is using a transitioning mechanism I developed myself, which happens to work in a way that avoids the challenge you are facing. Because of that, I haven't actually thought about that exact question until you asked it.
The really pertinent part of your response is the parting question and I guess I don't want all my devices reachable from the internet, only a very small number of them.
In that case it may be relevant to give two different answers to the question. One answer applicable to devices you do not want to be reachable, and one answer applicable to devices you
do want to be reachable.
For a device, which should not be reachable from the internet, you can put both the public IPv6 and private IPv4 address in DNS. Trying to access the device from elsewhere may give unexpected results due to the private IPv4 address in DNS. But the domain name wasn't supposed to be accessed from that location in the first place. To ensure the device cannot be accessed from the outside through its public IPv6 address, you should be using a firewall on the border of your network. It is feasible to keep such a firewall completely stateless and thus avoid some of the problems often associated with firewalls on IPv4.
For a device, which should be reachable from the internet, you need to ensure that only the IPv6 address is visible. If there was an A record with a private IPv4 address as well, clients may connect to that address and reach a completely different device from the one intended. Next question is, should the device be reachable from IPv4-only clients. If it need to be reachable from IPv4-only clients on your LAN, then you need split-horizon DNS. If it needs to be reachable from IPv4-only clients outside your LAN through the public internet, then you have a bit of a challenge. I am working on a
service for that sort of scenario.
What I do want is for as much as possible to be dynamically updated when things come and go.
At this point a relevant question is, if you want a DNS name, which points to the device even if it moves between your LAN and other IPv6 enabled networks. As long as it only needs to point to the device as long as it is on your LAN, it is easy to arrange for the device to have the same IPv6 address every time it is on your LAN.
This being the case, if it's possible, would the way to do it be to use the /48 prefix to set up a public subnet through the HE name servers, managed manually and have a "private" subnet from it run on my DNS, updated dynamically, dual homing the promiscuous boxes with static addresses on the open subnet?
There are reasons why you might want to partition your LAN into multiple /64 segments. And in such a situation a routed /48 is the way to go. But none of the things you have mentioned so far suggests that you have a need for multiple segments.
You can have dynamic and static IPv6 addresses on the same /64 prefix. You can even have multiple static and multiple dynamic IPv6 addresses on a single network interface. A use case for that could be that you can have one machine hosting multiple webdomains with IP based vhosts (rather than name based vhosts, commonly seen on IPv4), and for a bit of additional privacy outgoing connections from that machine use dynamic IPv6 addresses (with old addresses remaining on the interface after a new has been added, such that open TCP connections can keep going).
I feel some more research coming on!
There is always something new to learn.