I found a decent workaround: use the main server "archive.ubuntu.com" instead of the mirror. Notice how it includes only the known-good addresses; security.ubuntu.com includes a mix of good and bad hosts, and us.archive.ubuntu.com includes only the bad ones.
$ dig +short archive.ubuntu.com aaaa 2001:67c:1360:8c01::18 2001:67c:1360:8c01::19 $ dig +short security.ubuntu.com aaaa 2001:67c:1562::16 2001:67c:1562::13 2001:67c:1562::14 2001:67c:1562::15 2001:67c:1360:8c01::18 2001:67c:1360:8c01::19 2001:67c:1562::17 $ dig +short us.archive.ubuntu.com aaaa 2001:67c:1562::13 2001:67c:1562::14 2001:67c:1562::15 2001:67c:1562::16 2001:67c:1562::17 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1412943 Title: security.ubuntu.com (2001:67c:1562::XXX) not reachable via HE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1412943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs