krypted.com

Tiny Deathstars of Foulness

DNS is DNS. And named is named. Except in macOS Server. Sometimes. The configuration files for the DNS services in macOS Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems.

The current version of BIND is BIND 9.9.7-P3 (Extended Support Version). This has been the case for a number of macOS Server versions, and can easily be located by doing a cat of the /Library/Server/named/.version file. 

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In macOS Server 5.2 (for Sierra), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear.

The verbs available include:
  • help: show help information
  • list: show the contents of configurations and zone files
  • add: create records and zones
  • delete: remove records and zones
To view data available in the service, use the list verb. Options available when using the list verb include:
  • –acl: show ACLs
  • –view: show BIND view data
  • –zone: show domains configured in the service
  • –rr: show resource records
  • –rrtype: show types of resource records
For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan

The output would show you information about the listed zone, usually including View data:

Views: com.apple.ServerAdmin.DNS.public Zones: pretendco.lan Options: allow-transfer: none allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan

By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan


Or to delete that one www record earlier, just swap the add with a delete:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the best I’ve seen for managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

Additionally, you can manage bind in a variety of other ways. There are global settings exposed with the bind -v command:

bind -v


Which returns something similar to the following:

set bind-tty-special-chars on
set blink-matching-paren on
set byte-oriented off
set completion-ignore-case off
set convert-meta off
set disable-completion off
set enable-keypad off
set expand-tilde off
set history-preserve-point off
set horizontal-scroll-mode off
set input-meta on
set mark-directories on
set mark-modified-lines off
set mark-symlinked-directories off
set match-hidden-files on
set meta-flag on
set output-meta on
set page-completions on
set prefer-visible-bell on
set print-completions-horizontally off
set show-all-if-ambiguous off
set show-all-if-unmodified off
set visible-stats off
set bell-style audible
set comment-begin #
set completion-query-items 100
set editing-mode emacs
set keymap emacs

September 10th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

SQL has some really great features for managing dates. Given that dates are a very common thing to store in databases, that’s a pretty logical thing to get to a good, mature point. But the most challenging aspect of working with date and time in SQL is formatting. There are lots of different ways to format dates around the world, and even different structures (e.g. epoch) that are often complicated by adding time to records. But, you need to do things in a consistent fashion with how SQL expects them, if you’ll be using built in functions to manage dates. Dates can be stored in a variety of formats, which include the following:
  • DATE: Appears as YYYY-MM-DD
  • DATETIME: Appears as YYYY-MM-DD HH:MI:SS
  • TIMESTAMP: Appears as YYYY-MM-DD HH:MI:SS
  • YEAR: Appears as YY or YYYY
What are those functions?
  • CONVERT: Shows the date/time data in the specified format
  • CURATE: Shows the current date
  • CURTIME: Shows the current time
  • DATE: Extracts the date from a date/time field
  • DATE_ADD: Adds the time to a date
  • DATE_SUB: Removes the time from a date
  • DATE_FORMAT: Shows the date and time data in different formats
  • DATEDIFF: Shows the days between two specified dates
  • EXTRACT: Shows part of a date and time formatted value
  • NOW: Shows the current date and time, frequently used to capture the date during signups, etc
In this article, we’ll use the same “Customers” table from our first articles, but we’ll add a column for signupdate: ID Site Contact Address City Zip Country SignupDate 1 Krypted Charles Edge my house Minneapolis 55418 US 2005-01-01 2 Apple Tim Cook spaceship Cupertino 95014 US 2015-12-05 3 Microsoft Satya Nadella campus Redmond 98053 US 2014-11-01 4 Facebook Mark Zuckerberg foodhall Menlo Park 94025 US 2010-03-10 5 JAMF Dean Hager Grain Exchange Minneapolis 55418 US 2016-01-01 Let’s show (SELECT) records with an SignupDate of 2005-01-01 from the table above. SELECT * FROM Customers WHERE OrderDate='2005-01-01' Overall, dates are pretty easy. Times are a little more challenging, and take up much more space in a database. But overall, provided you build the column with the right format you want to use, the functions make managing date tasks all the easier. I’m not going to cover all of the options, but let’s look at EXTRACT real quick. Here, we’ll serialize the year, month, and day from the previous select. To do so, we’ll use the SELECT statement, call the EXTRACT function, and then split the three parts of the date into variables we’re making up (so you can use your own strings for the names), as SignupYear, SignupMonth, and SignupDay: SELECT EXTRACT(YEAR FROM SignupDate) AS SignupYear, EXTRACT(MONTH FROM SignupDate) AS SignupMonth, EXTRACT(DAY FROM SignupDate) AS SignupDay, FROM Customers WHERE OrderDate='2005-01-01' Obviously, we knew the OrderDate, but we could have used any other column and pattern to match for that column in the WHERE to serialize date information based on other parameters. Fun stuff.

March 6th, 2016

Posted In: SQL

Tags: , , , , , , ,