Building dnsextd(8) for macOS in 2022

Looks like dnsextd(8) was removed from macOS in 10.15 Catalina, and building from source isn't easy.

I used the attached patch to build mDNSResponder 1310.140.1, which removes unused functions except for setTrafficClass which is unused by the target (it passes mDNSFalse for useBackgroundTraffic).

We're planning to use this as a frontend to BIND 9.18.3 with an external daemon to verify TSIG for dynamic updates. With MDM we should be able to easily provision new TSIG keys remotely on servers, then communicate them out-of-band to the daemon and (hopefully) have the process work almost automatically.

I have heard only RC4 is supported in released versions of macOS, and the implementation is broken in macOS Monterey.

dnsextd.txt

Comments welcome

Up vote post of TyngJJ Down vote post of TyngJJ
1.1k views
Posted by
TyngJJ
Reply
Add a Comment

Replies

Looks like building 1557.120.7 from the GitHub releases is pretty different, the latest doesn't have an Xcode target for dnsextd. The patch is much smaller, but the Makefile doesn't collect the conf, man page, launchd plist and executable and put them in an appropriate structure.

dnsextd.txt
Posted by
TyngJJ
Up vote reply of TyngJJ Down vote reply of TyngJJ
Add a Comment

I presume your goal here is to get those patches integrated into the mainline source code. If so, I recommend that you put them in a bug report. That’ll ensure they’re seen by the right folks.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Not exactly. I have the patches for both, but I'm looking for comments on the use of dnsextd (hopefully from someone in the networking group) on its viability with recent versions of BIND. Also their thoughts on the overall scheme, like relying on the TSIG implementation in macOS for secure record updates. FB10279468

I realized I didn't reference the BIND documentation section 4.2.28.4 Dynamic Update Policies (the external option), which is what's planned.

Posted by
TyngJJ
Up vote reply of TyngJJ Down vote reply of TyngJJ
Add a Comment