Default interfaces on multi-homed servers about puppet-unbound HOT 3 CLOSED

Aha, I figured out what is happening. Unbound is replying from the wrong interface.

When Unbound is configured to listen on any interface (0.0.0.0), then it uses the wildcard source address (0.0.0.0) for the reply packet and allows the kernel to choose the source interface. Since DNS over UDP is connectionless, the kernel just chooses the first available interface and the client sees a reply from a different address than it queried. Any well-behaved client will reject that answer.

This is referenced in a question on the Unbound mailing list from September 2011:
http://www.nlnetlabs.nl/pipermail/unbound-users/2011-September/002061.html

The recommended solution is to explicitly list each interface. Then Unbound will reply using the same interface that it received the request on, instead of using the wildcard (0.0.0.0) interface.

Also note that the option interface-automatic technically does solve the problem as well, however it is NOT recommended because it is experimental, and it requires the availability of IPv6.

Going based on my own experience, the expected behavior is that Unbound should work on all interfaces unless otherwise specified. (Principle of least astonishment) Here are the options as I see them.

1. This module could be modified to create an interface line for each active IP address.
2. Or, more simply, set the default interface to ${ipaddress} so that any admin perusing the config file will quickly understand why it isn't working. Consider also adding a comment in the config file and an entry in the param documentation explaining why it's configured that way. Of course, the end user is still free to customize interfaces using the class parameter.

from puppet-unbound.

Most Linux distributions support a dual IP stack, with IPv6 as the default.

from puppet-unbound.

I believe this issue has been addressed by the inclusion of the interface param in params.pp.

from puppet-unbound.