Building dnsextd(8) for macOS in 2022

Looks like dnsextd(8) was removed from macOS in 10.15 Catalina, and building from source isn't easy.

I used the attached patch to build mDNSResponder 1310.140.1, which removes unused functions except for setTrafficClass which is unused by the target (it passes mDNSFalse for useBackgroundTraffic).

We're planning to use this as a frontend to BIND 9.18.3 with an external daemon to verify TSIG for dynamic updates. With MDM we should be able to easily provision new TSIG keys remotely on servers, then communicate them out-of-band to the daemon and (hopefully) have the process work almost automatically.

I have heard only RC4 is supported in released versions of macOS, and the implementation is broken in macOS Monterey.

Comments welcome

Looks like building 1557.120.7 from the GitHub releases is pretty different, the latest doesn't have an Xcode target for dnsextd. The patch is much smaller, but the Makefile doesn't collect the conf, man page, launchd plist and executable and put them in an appropriate structure.

I presume your goal here is to get those patches integrated into the mainline source code. If so, I recommend that you put them in a bug report. That’ll ensure they’re seen by the right folks.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Not exactly. I have the patches for both, but I'm looking for comments on the use of dnsextd (hopefully from someone in the networking group) on its viability with recent versions of BIND. Also their thoughts on the overall scheme, like relying on the TSIG implementation in macOS for secure record updates. FB10279468

I realized I didn't reference the BIND documentation section 4.2.28.4 Dynamic Update Policies (the external option), which is what's planned.

Building dnsextd(8) for macOS in 2022
 
 
Q