we have different TLS domains/certificates for dns64 and non dns64

Oh, OK.  Such a thing hasn't occurred to us, so it's not possible.  In that case I expect you'll need to stay on 5.x for now, with separate processes for dns64 and non-dns64 (but they can share the cache).  Overall I don't think the current code can support multiple certificates.