diff --git a/bootstrap/k0s/README.md b/bootstrap/k0s/README.md
index 84bc8c1..cc9cc05 100644
--- a/bootstrap/k0s/README.md
+++ b/bootstrap/k0s/README.md
@@ -32,6 +32,7 @@ Optional environment variables:
 - `TINKERBELL_TRUSTED_PROXIES` defaults to `10.244.0.0/16,10.96.0.0/12`
 - `K0S_POD_CIDR` defaults to `10.244.0.0/16`
 - `K0S_SERVICE_CIDR` defaults to `10.96.0.0/12`
+- `TINKERBELL_DHCP_BIND_ADDR` defaults to `TINKERBELL_PUBLIC_IP`
 - `TINKERBELL_HOOKOS_ARCH` defaults to `x86_64`
 - `TINKERBELL_HOOKOS_KERNEL_VERSION` defaults to `6.6`
 - `TINKERBELL_HOOKOS_EXTENSION` defaults to `tar.gz`
@@ -42,12 +43,13 @@ The intended real-lab consumer passes:
 ```text
 TINKERBELL_PUBLIC_IP=10.10.20.1
 TINKERBELL_ARTIFACTS_FILE_SERVER=http://10.10.20.1:7173
+TINKERBELL_DHCP_BIND_ADDR=10.10.20.1
 TINKERBELL_DHCP_BIND_INTERFACE=eth1.20
 ```
 
-The VyOS-hosted bootstrap path leaves DHCP with VyOS/Kea. Tinkerbell's DHCP
-listener is disabled, while its HTTP, TFTP, gRPC, and SSH listeners bind to
-`TINKERBELL_PUBLIC_IP`.
+The VyOS-hosted bootstrap path leaves LAB_MGMT and LAB_OOB DHCP with VyOS/Kea.
+Tinkerbell owns DHCP/PXE on LAB_PROV and binds its HTTP, DHCP, TFTP, gRPC, and
+SSH listeners to `TINKERBELL_PUBLIC_IP`.
 
 For local smoke runs, set `TINKERBELL_DHCP_BIND_INTERFACE` to an interface that
 actually exists inside the disposable bootstrap container, such as `eth0`.
@@ -94,6 +96,7 @@ docker run -d \
   -p 6443:6443 \
   -e TINKERBELL_PUBLIC_IP=10.10.20.1 \
   -e TINKERBELL_ARTIFACTS_FILE_SERVER=http://10.10.20.1:7173 \
+  -e TINKERBELL_DHCP_BIND_ADDR=0.0.0.0 \
   -e TINKERBELL_DHCP_BIND_INTERFACE=eth0 \
   bootstrap-k0s:test
 ```
diff --git a/bootstrap/k0s/bootstrap-k0s.sh b/bootstrap/k0s/bootstrap-k0s.sh
index 6dfd5de..08273c9 100644
--- a/bootstrap/k0s/bootstrap-k0s.sh
+++ b/bootstrap/k0s/bootstrap-k0s.sh
@@ -30,6 +30,7 @@ render_k0s_config() {
   TINKERBELL_HOOKOS_KERNEL_VERSION="${TINKERBELL_HOOKOS_KERNEL_VERSION:-6.6}"
   TINKERBELL_HOOKOS_EXTENSION="${TINKERBELL_HOOKOS_EXTENSION:-tar.gz}"
   TINKERBELL_DHCP_MODE="${TINKERBELL_DHCP_MODE:-reservation}"
+  TINKERBELL_DHCP_BIND_ADDR="${TINKERBELL_DHCP_BIND_ADDR:-$TINKERBELL_PUBLIC_IP}"
   TINKERBELL_TINK_SERVER_ADDR_PORT="${TINKERBELL_TINK_SERVER_ADDR_PORT:-$TINKERBELL_PUBLIC_IP:42113}"
   TINKERBELL_OSIE_URL="${TINKERBELL_OSIE_URL:-http://$TINKERBELL_PUBLIC_IP:7173}"
 
@@ -40,6 +41,7 @@ render_k0s_config() {
     -t service_cidr="$K0S_SERVICE_CIDR" \
     -t public_ip="$TINKERBELL_PUBLIC_IP" \
     -t artifacts_file_server="$TINKERBELL_ARTIFACTS_FILE_SERVER" \
+    -t dhcp_bind_addr="$TINKERBELL_DHCP_BIND_ADDR" \
     -t dhcp_bind_interface="$TINKERBELL_DHCP_BIND_INTERFACE" \
     -t hookos_arch="$TINKERBELL_HOOKOS_ARCH" \
     -t hookos_kernel_version="$TINKERBELL_HOOKOS_KERNEL_VERSION" \
diff --git a/bootstrap/k0s/k0s.cue b/bootstrap/k0s/k0s.cue
index 1b957ba..bb9b19c 100644
--- a/bootstrap/k0s/k0s.cue
+++ b/bootstrap/k0s/k0s.cue
@@ -9,6 +9,7 @@ cfgPodCIDR:             string @tag(pod_cidr)
 cfgServiceCIDR:         string @tag(service_cidr)
 cfgPublicIP:            string @tag(public_ip)
 cfgArtifactsFileServer: string @tag(artifacts_file_server)
+cfgDHCPBindAddr:        string @tag(dhcp_bind_addr)
 cfgDHCPBindInterface:   string @tag(dhcp_bind_interface)
 cfgHookOSArch:          string @tag(hookos_arch)
 cfgHookOSKernelVersion: string @tag(hookos_kernel_version)
@@ -52,8 +53,9 @@ cfgTrustedProxies: [for proxy in strings.Split(cfgTrustedProxiesCSV, ",") if str
 				bindAddr: "0.0.0.0"
 			}
 			smee: {
-				dhcpEnabled:                  false
+				dhcpEnabled:                  true
 				dhcpMode:                     cfgDHCPMode
+				dhcpBindAddr:                 cfgDHCPBindAddr
 				dhcpBindInterface:            cfgDHCPBindInterface
 				dhcpIPForPacket:              cfgPublicIP
 				dhcpTftpIP:                   cfgPublicIP
diff --git a/bootstrap/k0s/moon.yml b/bootstrap/k0s/moon.yml
index c389d3d..c600a5c 100644
--- a/bootstrap/k0s/moon.yml
+++ b/bootstrap/k0s/moon.yml
@@ -30,6 +30,7 @@ tasks:
       -t service_cidr=10.96.0.0/12
       -t public_ip=10.10.20.1
       -t artifacts_file_server=http://10.10.20.1:7173
+      -t dhcp_bind_addr=10.10.20.1
       -t dhcp_bind_interface=eth1.20
       -t hookos_arch=x86_64
       -t hookos_kernel_version=6.6
@@ -54,6 +55,7 @@ tasks:
       -t service_cidr=10.96.0.0/12
       -t public_ip=10.10.20.1
       -t artifacts_file_server=http://10.10.20.1:7173
+      -t dhcp_bind_addr=10.10.20.1
       -t dhcp_bind_interface=eth1.20
       -t hookos_arch=x86_64
       -t hookos_kernel_version=6.6