Maintained by: NLnet Labs

[Unbound-users] ip-transparent patch

Jarno Huuskonen
Tue Feb 10 13:24:10 CET 2015


Hi,

On Tue, Feb 10, Sten Spans <sten at blinkenlights.nl> wrote:
> I'm trying to use unbound in combination with vrrp/keepalived.
> The use of floating ips, would require an unbound restart every
> time an ip moves from one host to another.

Have you tried using: interface-automatic: yes
(So something like:
        interface: 0.0.0.0
        interface: ::0
        interface-automatic: yes
in unbound.conf).

We've used this with keepalived/unbound and it has worked for us.
(No need to restart unbound after ip address failover).

(We also have
 outgoing-interface: server.ipv4.add.ress
 outgoing-interface: server.ipv6.add.ress
so unbound doesn't use floating(keepalived) addrs for outgoing queries).

(I think on ip address failover unbound can try to send reply from
floating(vip) address that has just moved to another server, but
with our setup this hasn't been a problem).
 
> For ipv4 linux has the ip.nonlocal_bind sysctl to allow binding
> to non-local ips, however ipv6 has no such sysctl.

For haproxy/keepalived we use this "hack" for ipv6 vip(floating
addresses): bind all ipv6 VIPs to "lo" interface --> haproxy
can bind to needed addrs.
(https://gist.github.com/aw/1008793)

(I haven't tested this with unbound, because interface-automatic: yes
works for us).

-Jarno

-- 
Jarno Huuskonen