DigitalOcean Reserved IP + MIAB: NSD binds to Droplet IP while DNS records point to Reserved IP

Help with Setup/Upgrade
1

DigitalOcean Reserved IP + MIAB: NSD binds to Droplet IP while DNS records point to Reserved IP

Hi,

I’m trying to understand the correct Mail-in-a-Box setup for a DigitalOcean Droplet that uses a Reserved IP as the long-term public identity.

Environment

I have a DigitalOcean Droplet with:

Reserved IP:        67.207.77.207
Droplet public IP:  46.101.106.169
DO private/VPC IP:  10.135.0.2
Primary hostname:   box.rosback.org

The Reserved IP 67.207.77.207 is meant to be the stable address of the mail/DNS box.

The Droplet public IP 46.101.106.169 is not something I want to depend on long-term, because it may change if I recreate the Droplet.

The Reserved IP is actually assigned on the interface:

inet 46.101.106.169/20 brd 46.101.111.255 scope global eth0
inet 67.207.77.207/32 scope global eth0

Current /etc/mailinabox.conf

PRIMARY_HOSTNAME=box.rosback.org
PUBLIC_IP=67.207.77.207
PUBLIC_IPV6=
PRIVATE_IP=46.101.106.169
PRIVATE_IPV6=

What MIAB generated

The zone files look correct from the public identity point of view. For example, rosback.org.txt.signed contains:

rosback.org.          A 67.207.77.207
box.rosback.org.      A 67.207.77.207
ns1.box.rosback.org.  A 67.207.77.207
ns2.box.rosback.org.  A 67.207.77.207

But /etc/nsd/nsd.conf contains:

ip-address: 46.101.106.169

And /etc/bind/named.conf.options contains:

listen-on { 127.0.0.1;67.207.77.207; };

So the actual listener state is:

NSD authoritative DNS -> 46.101.106.169:53
bind9/named           -> 67.207.77.207:53 and 127.0.0.1:53

Observed result

From the outside world, DNS queries to the Droplet IP work:

46.101.106.169 responds

But queries to the Reserved IP do not work correctly:

67.207.77.207 does not respond as authoritative NSD / returns SERVFAIL

This makes sense because 67.207.77.207:53 is being handled by bind9 / named instead of NSD.

What I think is happening

It looks like MIAB treats:

PUBLIC_IP  = address published in DNS records
PRIVATE_IP = local/interface address used for service binding

So with my current config, MIAB publishes DNS records for the Reserved IP, but binds NSD to the Droplet IP.

That means the generated setup is internally split like this:

DNS records say:     use 67.207.77.207
NSD actually serves: 46.101.106.169

This is awkward for a DigitalOcean Reserved IP setup, because my goal is that 67.207.77.207 is the stable public identity and should be where authoritative DNS is served.

Question

What is the correct/recommended way to configure MIAB for a DigitalOcean Reserved IP that is assigned on eth0 and is intended to be the long-term public IP of the box?

Should /etc/mailinabox.conf be changed to this?

PUBLIC_IP=67.207.77.207
PRIVATE_IP=67.207.77.207

Or should MIAB keep this?

PUBLIC_IP=67.207.77.207
PRIVATE_IP=46.101.106.169

In that case, is NSD expected to serve DNS from the Droplet IP while the zone records point to the Reserved IP?

I’m trying to avoid manually patching generated files like /etc/nsd/nsd.conf, because they are overwritten by MIAB setup/upgrade.

I would like to understand the correct durable configuration for this kind of DigitalOcean Reserved IP setup.

Upgrade context

This started after upgrading MIAB and rerunning setup. It is possible the old setup had manual changes or stale config that masked the issue before.