oxidecomputer · zeeshanlakhani · May 5, 2026 · May 7, 2026 · May 8, 2026 · May 8, 2026
diff --git a/.envrc b/.envrc
@@ -5,6 +5,7 @@ PATH_add out/cockroachdb/bin
 PATH_add out/clickhouse
 PATH_add out/dendrite-stub/bin
 PATH_add out/mgd/root/opt/oxide/mgd/bin
+PATH_add out/mg-ddm/root/opt/oxide/mg-ddm/bin
 
 if [ "$OMICRON_USE_FLAKE" = 1 ] && nix flake show &> /dev/null
 then

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -604,8 +604,8 @@ ntp-admin-api = { path = "ntp-admin/api" }
 ntp-admin-client = { path = "clients/ntp-admin-client" }
 ntp-admin-types = { path = "ntp-admin/types" }
 ntp-admin-types-versions = { path = "ntp-admin/types/versions" }
-mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "7696ee48d5ee29a917dea459e281fe2e8ff20513" }
-ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "7696ee48d5ee29a917dea459e281fe2e8ff20513" }
+mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "974423895c17cc23711732f518e447b284425ccd" }
+ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "974423895c17cc23711732f518e447b284425ccd" }
 multimap = "0.10.1"
 nexus-auth = { path = "nexus/auth" }
 nexus-background-task-interface = { path = "nexus/background-task-interface" }
@@ -669,7 +669,7 @@ oxide-client = { path = "clients/oxide-client" }
 oxide-tokio-rt = "0.1.4"
 oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "bae0440c199b3908c12903a9532854936353433b", features = [ "api", "std" ] }
 oxlog = { path = "dev-tools/oxlog" }
-oxnet = "0.1.4"
+oxnet = "0.1.5"
 once_cell = "1.21.3"
 openapi-lint = { git = "https://github.com/oxidecomputer/openapi-lint", branch = "main" }
 openapiv3 = "2.2.0"
@@ -742,7 +742,7 @@ rats-corim = { git = "https://github.com/oxidecomputer/rats-corim.git", rev = "f
 raw-cpuid = { git = "https://github.com/oxidecomputer/rust-cpuid.git", rev = "a4cf01df76f35430ff5d39dc2fe470bcb953503b" }
 rayon = "1.10"
 rcgen = "0.12.1"
-rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "7696ee48d5ee29a917dea459e281fe2e8ff20513" }
+rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "974423895c17cc23711732f518e447b284425ccd" }
 reconfigurator-cli = { path = "dev-tools/reconfigurator-cli" }
 reedline = "0.40.0"
 ref-cast = "1.0"

diff --git a/clients/ddm-admin-client/src/lib.rs b/clients/ddm-admin-client/src/lib.rs
@@ -13,6 +13,7 @@ pub use ddm_admin_client::types;
 
 use ddm_admin_client::Client as InnerClient;
 use either::Either;
+use omicron_common::address::DDMD_PORT;
 use oxnet::Ipv6Net;
 use sled_hardware_types::underlay::BOOTSTRAP_MASK;
 use sled_hardware_types::underlay::BOOTSTRAP_PREFIX;
@@ -26,9 +27,6 @@ use thiserror::Error;
 
 use crate::types::EnableStatsRequest;
 
-// TODO-cleanup Is it okay to hardcode this port number here?
-const DDMD_PORT: u16 = 8000;
-
 #[derive(Debug, Error, SlogInlineError)]
 pub enum DdmError {
     #[error("Failed to construct an HTTP client:")]

diff --git a/dev-tools/downloader/src/lib.rs b/dev-tools/downloader/src/lib.rs
@@ -69,6 +69,9 @@ enum Target {
     /// Maghemite mgd binary
     MaghemiteMgd,
 
+    /// Maghemite ddmd binary
+    MaghemiteDdmd,
+
     /// SoftNPU, an admin program (scadm) and a pre-compiled P4 program.
     Softnpu,
 
@@ -137,6 +140,7 @@ pub async fn run_cmd(args: DownloadArgs) -> Result<()> {
                     Target::Console => downloader.download_console().await,
                     Target::DendriteStub => downloader.download_dendrite_stub().await,
                     Target::MaghemiteMgd => downloader.download_maghemite_mgd().await,
+                    Target::MaghemiteDdmd => downloader.download_maghemite_ddmd().await,
                     Target::Softnpu => downloader.download_softnpu().await,
                     Target::TransceiverControl => {
                         downloader.download_transceiver_control().await
@@ -946,6 +950,84 @@ impl Downloader<'_> {
         Ok(())
     }
 
+    async fn download_maghemite_ddmd(&self) -> Result<()> {
+        let download_dir = self.output_dir.join("downloads");
+        tokio::fs::create_dir_all(&download_dir).await?;
+
+        let checksums_path = self.versions_dir.join("maghemite_mgd_checksums");
+        let [mg_ddm_sha2, ddmd_linux_sha2] = get_values_from_file(
+            ["MG_DDM_SHA256", "DDMD_LINUX_SHA256"],
+            &checksums_path,
+        )
+        .await?;
+        let commit_path =
+            self.versions_dir.join("maghemite_ddm_openapi_version");
+        let [commit] = get_values_from_file(["COMMIT"], &commit_path).await?;
+
+        let repo = "oxidecomputer/maghemite";
+        let base_url = format!("{BUILDOMAT_URL}/{repo}/image/{commit}");
+
+        let filename = "mg-ddm.tar.gz";
+        let tarball_path = download_dir.join(filename);
+        download_file_and_verify(
+            &self.log,
+            &tarball_path,
+            &format!("{base_url}/{filename}"),
+            ChecksumAlgorithm::Sha2,
+            &mg_ddm_sha2,
+        )
+        .await?;
+        unpack_tarball(&self.log, &tarball_path, &download_dir).await?;
+
+        let destination_dir = self.output_dir.join("mg-ddm");
+        let _ = tokio::fs::remove_dir_all(&destination_dir).await;
+        tokio::fs::create_dir_all(&destination_dir).await?;
+        copy_dir_all(
+            &download_dir.join("root"),
+            &destination_dir.join("root"),
+        )?;
+
+        let binary_dir = destination_dir.join("root/opt/oxide/mg-ddm/bin");
+
+        match os_name()? {
+            Os::Linux => {
+                let filename = "ddmd";
+                let path = download_dir.join(filename);
+                download_file_and_verify(
+                    &self.log,
+                    &path,
+                    &format!(
+                        "{BUILDOMAT_URL}/{repo}/linux/{commit}/{filename}"
+                    ),
+                    ChecksumAlgorithm::Sha2,
+                    &ddmd_linux_sha2,
+                )
+                .await?;
+                set_permissions(&path, 0o755).await?;
+                tokio::fs::copy(path, binary_dir.join(filename)).await?;
+            }
+            Os::Mac => {
+                info!(
+                    self.log,
+                    "Building maghemite ddmd from source for macOS"
+                );
+
+                let binaries = [("ddmd", &["--no-default-features"][..])];
+
+                let built_binaries = self
+                    .build_from_git("maghemite", &commit, &binaries)
+                    .await?;
+
+                let dest = binary_dir.join("ddmd");
+                tokio::fs::copy(&built_binaries[0], &dest).await?;
+                set_permissions(&dest, 0o755).await?;
+            }
+            Os::Illumos => (),
+        }
+
+        Ok(())
+    }
+
     async fn download_softnpu(&self) -> Result<()> {
         let destination_dir = self.output_dir.join("npuzone");
         tokio::fs::create_dir_all(&destination_dir).await?;

diff --git a/env.sh b/env.sh
@@ -12,6 +12,7 @@ export PATH="$OMICRON_WS/out/cockroachdb/bin:$PATH"
 export PATH="$OMICRON_WS/out/clickhouse:$PATH"
 export PATH="$OMICRON_WS/out/dendrite-stub/bin:$PATH"
 export PATH="$OMICRON_WS/out/mgd/root/opt/oxide/mgd/bin:$PATH"
+export PATH="$OMICRON_WS/out/mg-ddm/root/opt/oxide/mg-ddm/bin:$PATH"
 
 # if xtrace was set previously, do not unset it
 case $OLD_SHELL_OPTS in

diff --git a/internal-dns/types/src/config.rs b/internal-dns/types/src/config.rs
@@ -163,6 +163,20 @@ pub struct DnsConfigBuilder {
     service_instances_sleds: BTreeMap<ServiceName, BTreeMap<Sled, u16>>,
 }
 
+/// Ports for the per-switch services published in internal DNS by
+/// [`DnsConfigBuilder::host_zone_switch`].
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub struct HostSwitchZonePorts {
+    /// Dendrite (`dpd`) admin API port.
+    pub dendrite: u16,
+    /// Management Gateway Service (`mgs`) port.
+    pub mgs: u16,
+    /// Maghemite `mgd` admin API port.
+    pub mgd: u16,
+    /// Maghemite `ddmd` admin API port.
+    pub ddm: u16,
+}
+
 /// Describes a host of type "sled" in the control plane DNS zone
 #[derive(Clone, Debug, Hash, PartialEq, Eq, PartialOrd, Ord)]
 pub struct Sled(SledUuid);
@@ -396,18 +410,23 @@ impl DnsConfigBuilder {
         &mut self,
         sled_id: SledUuid,
         switch_zone_ip: Ipv6Addr,
-        dendrite_port: u16,
-        mgs_port: u16,
-        mgd_port: u16,
+        ports: HostSwitchZonePorts,
     ) -> anyhow::Result<()> {
+        let HostSwitchZonePorts {
+            dendrite: dendrite_port,
+            mgs: mgs_port,
+            mgd: mgd_port,
+            ddm: ddm_port,
+        } = ports;
         let zone = self.host_dendrite(sled_id, switch_zone_ip)?;
         self.service_backend_zone(ServiceName::Dendrite, &zone, dendrite_port)?;
         self.service_backend_zone(
             ServiceName::ManagementGatewayService,
             &zone,
             mgs_port,
         )?;
-        self.service_backend_zone(ServiceName::Mgd, &zone, mgd_port)
+        self.service_backend_zone(ServiceName::Mgd, &zone, mgd_port)?;
+        self.service_backend_zone(ServiceName::Ddm, &zone, ddm_port)
     }
 
     /// Higher-level shorthand for adding a Nexus zone with both its internal
@@ -731,7 +750,9 @@ impl DnsConfigBuilder {
 
 #[cfg(test)]
 mod test {
-    use super::{DnsConfigBuilder, Host, ServiceName};
+    use super::{
+        DnsConfigBuilder, DnsRecord, Host, HostSwitchZonePorts, ServiceName,
+    };
     use crate::{config::Zone, names::DNS_ZONE};
     use omicron_common::api::external::Generation;
     use omicron_uuid_kinds::{OmicronZoneUuid, SledUuid};
@@ -779,6 +800,8 @@ mod test {
             "_oximeter-reader._tcp",
         );
         assert_eq!(ServiceName::Dendrite.dns_name(), "_dendrite._tcp",);
+        assert_eq!(ServiceName::Mgd.dns_name(), "_mgd._tcp",);
+        assert_eq!(ServiceName::Ddm.dns_name(), "_ddm._tcp",);
         assert_eq!(
             ServiceName::CruciblePantry.dns_name(),
             "_crucible-pantry._tcp",
@@ -796,6 +819,71 @@ mod test {
         );
     }
 
+    #[test]
+    fn host_zone_switch_publishes_all_services() {
+        let sled_uuid: SledUuid =
+            "001de000-51ed-4000-8000-000000000001".parse().unwrap();
+        let switch_zone_ip = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1);
+
+        // Use distinct port numbers so an arg-order swap in `host_zone_switch`
+        // surfaces as a port mismatch on the affected service.
+        let dendrite_port = 11;
+        let mgs_port = 13;
+        let mgd_port = 17;
+        let ddm_port = 19;
+
+        let mut builder = DnsConfigBuilder::new();
+        builder
+            .host_zone_switch(
+                sled_uuid,
+                switch_zone_ip,
+                HostSwitchZonePorts {
+                    dendrite: dendrite_port,
+                    mgs: mgs_port,
+                    mgd: mgd_port,
+                    ddm: ddm_port,
+                },
+            )
+            .unwrap();
+
+        let config = builder.build_full_config_for_initial_generation();
+
+        let mut by_name: BTreeMap<&str, &[DnsRecord]> = BTreeMap::new();
+        for zone in &config.zones {
+            for (name, records) in &zone.records {
+                by_name.insert(name.as_str(), records.as_slice());
+            }
+        }
+
+        for (expected_name, expected_port) in [
+            ("_dendrite._tcp", dendrite_port),
+            ("_mgs._tcp", mgs_port),
+            ("_mgd._tcp", mgd_port),
+            ("_ddm._tcp", ddm_port),
+        ] {
+            let records = by_name.get(expected_name).unwrap_or_else(|| {
+                panic!(
+                    "expected {expected_name} in published switch-zone \
+                     services; got {by_name:?}"
+                )
+            });
+            let srv_port = records
+                .iter()
+                .find_map(|r| match r {
+                    DnsRecord::Srv(s) => Some(s.port),
+                    _ => None,
+                })
+                .unwrap_or_else(|| {
+                    panic!("no SRV record for {expected_name}: {records:?}")
+                });
+
+            assert_eq!(
+                srv_port, expected_port,
+                "wrong SRV port for {expected_name}"
+            );
+        }
+    }
+
     #[test]
     fn display_hosts() {
         let sled_uuid = SledUuid::nil();

diff --git a/internal-dns/types/src/names.rs b/internal-dns/types/src/names.rs
@@ -75,6 +75,7 @@ pub enum ServiceName {
     BoundaryNtp,
     InternalNtp,
     Mgd,
+    Ddm,
 }
 
 impl ServiceName {
@@ -116,6 +117,7 @@ impl ServiceName {
             ServiceName::BoundaryNtp => "boundary-ntp",
             ServiceName::InternalNtp => "internal-ntp",
             ServiceName::Mgd => "mgd",
+            ServiceName::Ddm => "ddm",
         }
     }
 
@@ -144,7 +146,8 @@ impl ServiceName {
             | ServiceName::CruciblePantry
             | ServiceName::BoundaryNtp
             | ServiceName::InternalNtp
-            | ServiceName::Mgd => {
+            | ServiceName::Mgd
+            | ServiceName::Ddm => {
                 format!("_{}._tcp", self.service_kind())
             }
             ServiceName::SledAgent(id) => {