IPv6 App Store Rejection
After quite a bit of stress, I can confirm that the issue was a problem with our backend not being correctly configured for IPv6. Apparently, AWS doesn't support IPv6, nor IPv6-only DNS through Route53. I ended up moving all the internet facing bits of the backend away from AWS for the time being.
I wanted to leave this up because I think there are probably going to be others who find themselves with similar problems as people start submitting updates past the IPv6-only restriction. The best tool I found for testing server/dns readiness has been: http://ready.chair6.net/
Please note that Supporting IPv6-only Networks and IPv6 and App Review link can be very helpful in determining what's the problem with apple rejections.In this specific case the articles clearly state that you can setup the DNS64/NAT64 test network but that "This test network is not exactly the same as the network used by App Review", that's why everything can work in the test environment and still have the app rejected.
Moreover:
The App Review network, like the networks deployed by serviceproviders, does support IPv6-to-IPv6 connectivity. Thus, if yourserver supports IPv6, your app will talk to it directly, without goingthrough the NAT64 translator. This is, in general, a good thing, butit can trip you up if your server claims to support IPv6 but that IPv6support is broken. For example, if: the DNS name is incorrect the DNSis correct but the server is not listening on IPv6 the server islistening on IPv6 but fails when a request comes in over IPv6
So if your backend server has support for IPv6 the apple test network will use it, and it is what has been wrong in this case.
I add this as a reference and starting point for other users that experience the same problem
We ran into this same problem, and it turned out while we had setup an AAAA record for IPv6, since we didn't actually have IPv6 support (we're also using Route53), it borked everything. Removing the AAAA record fixed the issue.
I've filed a radar about the discrepancy between the documentation for testing and the setup App Review is using - we were only able to diagnose it because our CTO was at WWDC and was able to connect to their network, which is not exactly a situation we can reproduce regularly.