diff --git a/Cargo.lock b/Cargo.lock
index 781785b8ec..5fd17fd158 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -59,7 +59,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011"
 dependencies = [
  "cfg-if",
- "getrandom 0.2.14",
+ "getrandom",
  "once_cell",
  "version_check",
  "zerocopy 0.7.34",
@@ -376,10 +376,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b62ddb9cb1ec0a098ad4bbf9344d0713fa193ae1a80af55febcff2627b6a00c1"
 dependencies = [
  "futures-core",
- "getrandom 0.2.14",
+ "getrandom",
  "instant",
  "pin-project-lite",
- "rand 0.8.5",
+ "rand",
  "tokio",
 ]
 
@@ -683,7 +683,7 @@ dependencies = [
  "omicron-workspace-hack",
  "pq-sys",
  "proptest",
- "rand 0.8.5",
+ "rand",
  "secrecy",
  "serde",
  "serde_with",
@@ -1609,7 +1609,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
 dependencies = [
  "generic-array",
- "rand_core 0.6.4",
+ "rand_core",
  "subtle",
  "zeroize",
 ]
@@ -1621,7 +1621,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
 dependencies = [
  "generic-array",
- "rand_core 0.6.4",
+ "rand_core",
  "typenum",
 ]
 
@@ -1676,7 +1676,7 @@ dependencies = [
  "curve25519-dalek-derive",
  "digest",
  "fiat-crypto",
- "rand_core 0.6.4",
+ "rand_core",
  "rustc_version 0.4.0",
  "subtle",
  "zeroize",
@@ -1934,7 +1934,7 @@ dependencies = [
  "dhcproto-macros",
  "hex",
  "ipnet",
- "rand 0.8.5",
+ "rand",
  "thiserror",
  "trust-dns-proto",
  "url",
@@ -2106,6 +2106,10 @@ dependencies = [
  "dns-service-client",
  "dropshot",
  "expectorate",
+ "hickory-client",
+ "hickory-proto",
+ "hickory-resolver",
+ "hickory-server",
  "http 0.2.12",
  "omicron-test-utils",
  "omicron-workspace-hack",
@@ -2125,10 +2129,6 @@ dependencies = [
  "thiserror",
  "tokio",
  "toml 0.8.19",
- "trust-dns-client",
- "trust-dns-proto",
- "trust-dns-resolver",
- "trust-dns-server",
  "uuid",
 ]
 
@@ -2198,7 +2198,7 @@ dependencies = [
  "progenitor",
  "progenitor-client",
  "quote",
- "rand 0.8.5",
+ "rand",
  "regress",
  "reqwest",
  "rustfmt-wrapper",
@@ -2228,7 +2228,7 @@ dependencies = [
  "hostname 0.4.0",
  "http 0.2.12",
  "hyper 0.14.30",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "multer",
  "openapiv3",
  "paste",
@@ -2332,7 +2332,7 @@ checksum = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871"
 dependencies = [
  "curve25519-dalek",
  "ed25519",
- "rand_core 0.6.4",
+ "rand_core",
  "serde",
  "sha2",
  "subtle",
@@ -2360,7 +2360,7 @@ dependencies = [
  "hkdf",
  "pem-rfc7468",
  "pkcs8",
- "rand_core 0.6.4",
+ "rand_core",
  "sec1",
  "subtle",
  "zeroize",
@@ -2408,6 +2408,7 @@ dependencies = [
  "clap",
  "colored",
  "dhcproto",
+ "hickory-resolver",
  "http 0.2.12",
  "humantime",
  "hyper 0.14.30",
@@ -2418,7 +2419,7 @@ dependencies = [
  "omicron-test-utils",
  "omicron-workspace-hack",
  "oxide-client",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "russh",
  "russh-keys",
@@ -2428,7 +2429,6 @@ dependencies = [
  "socket2 0.5.7",
  "tokio",
  "toml 0.8.19",
- "trust-dns-resolver",
  "uuid",
 ]
 
@@ -2450,6 +2450,18 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "enum-as-inner"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ffccbb6966c05b32ef8fbac435df276c4ae4d3dc55a8cd0eb9745e6c12f546a"
+dependencies = [
+ "heck 0.4.1",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.74",
+]
+
 [[package]]
 name = "env_logger"
 version = "0.9.3"
@@ -2589,7 +2601,7 @@ version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
 dependencies = [
- "rand_core 0.6.4",
+ "rand_core",
  "subtle",
 ]
 
@@ -2905,7 +2917,7 @@ dependencies = [
  "gateway-messages",
  "omicron-workspace-hack",
  "progenitor",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "schemars",
  "serde",
@@ -3023,17 +3035,6 @@ dependencies = [
  "unicode-width",
 ]
 
-[[package]]
-name = "getrandom"
-version = "0.1.16"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce"
-dependencies = [
- "cfg-if",
- "libc",
- "wasi 0.9.0+wasi-snapshot-preview1",
-]
-
 [[package]]
 name = "getrandom"
 version = "0.2.14"
@@ -3043,7 +3044,7 @@ dependencies = [
  "cfg-if",
  "js-sys",
  "libc",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi",
  "wasm-bindgen",
 ]
 
@@ -3113,7 +3114,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
 dependencies = [
  "ff",
- "rand_core 0.6.4",
+ "rand_core",
  "subtle",
 ]
 
@@ -3130,7 +3131,7 @@ dependencies = [
  "debug-ignore",
  "fixedbitset",
  "guppy-workspace-hack",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "itertools 0.13.0",
  "nested",
  "once_cell",
@@ -3162,7 +3163,7 @@ dependencies = [
  "futures-sink",
  "futures-util",
  "http 0.2.12",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "slab",
  "tokio",
  "tokio-util",
@@ -3329,6 +3330,90 @@ version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46"
 
+[[package]]
+name = "hickory-client"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bab9683b08d8f8957a857b0236455d80e1886eaa8c6178af556aa7871fb61b55"
+dependencies = [
+ "cfg-if",
+ "data-encoding",
+ "futures-channel",
+ "futures-util",
+ "hickory-proto",
+ "once_cell",
+ "radix_trie",
+ "rand",
+ "thiserror",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "hickory-proto"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07698b8420e2f0d6447a436ba999ec85d8fbf2a398bbd737b82cac4a2e96e512"
+dependencies = [
+ "async-trait",
+ "cfg-if",
+ "data-encoding",
+ "enum-as-inner 0.6.0",
+ "futures-channel",
+ "futures-io",
+ "futures-util",
+ "idna 0.4.0",
+ "ipnet",
+ "once_cell",
+ "rand",
+ "thiserror",
+ "tinyvec",
+ "tokio",
+ "tracing",
+ "url",
+]
+
+[[package]]
+name = "hickory-resolver"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28757f23aa75c98f254cf0405e6d8c25b831b32921b050a66692427679b1f243"
+dependencies = [
+ "cfg-if",
+ "futures-util",
+ "hickory-proto",
+ "ipconfig",
+ "lru-cache",
+ "once_cell",
+ "parking_lot 0.12.2",
+ "rand",
+ "resolv-conf",
+ "smallvec 1.13.2",
+ "thiserror",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "hickory-server"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9be0e43c556b9b3fdb6c7c71a9a32153a2275d02419e3de809e520bfcfe40c37"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "cfg-if",
+ "enum-as-inner 0.6.0",
+ "futures-util",
+ "hickory-proto",
+ "serde",
+ "thiserror",
+ "time",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
 [[package]]
 name = "highway"
 version = "1.2.0"
@@ -3603,7 +3688,7 @@ dependencies = [
  "hyper 0.14.30",
  "mime_guess",
  "percent-encoding",
- "rand 0.8.5",
+ "rand",
  "tokio",
  "url",
  "winapi",
@@ -3692,6 +3777,16 @@ dependencies = [
  "unicode-normalization",
 ]
 
+[[package]]
+name = "idna"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d20d6b07bfbc108882d88ed8e37d39636dcc260e15e30c45e6ba089610b917c"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+]
+
 [[package]]
 name = "idna"
 version = "0.5.0"
@@ -3785,9 +3880,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.3.0"
+version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de3fc2e30ba82dd1b3911c8de1ffc143c74a914a14e99514d7637e3099df5ea0"
+checksum = "93ead53efc7ea8ed3cfb0c79fc8023fbb782a5432b52830b6518941cebe6505c"
 dependencies = [
  "equivalent",
  "hashbrown 0.14.5",
@@ -3843,6 +3938,7 @@ dependencies = [
  "buf-list",
  "bytes",
  "camino",
+ "camino-tempfile",
  "cancel-safe-futures",
  "clap",
  "display-error-chain",
@@ -3872,7 +3968,6 @@ dependencies = [
  "slog-envlogger",
  "slog-term",
  "smf",
- "tempfile",
  "test-strategy",
  "thiserror",
  "tokio",
@@ -3958,6 +4053,7 @@ dependencies = [
  "dropshot",
  "expectorate",
  "futures",
+ "hickory-resolver",
  "hyper 0.14.30",
  "omicron-common",
  "omicron-test-utils",
@@ -3972,7 +4068,6 @@ dependencies = [
  "tempfile",
  "thiserror",
  "tokio",
- "trust-dns-resolver",
  "uuid",
 ]
 
@@ -3983,12 +4078,12 @@ dependencies = [
  "anyhow",
  "clap",
  "dropshot",
+ "hickory-resolver",
  "internal-dns",
  "omicron-common",
  "omicron-workspace-hack",
  "slog",
  "tokio",
- "trust-dns-resolver",
 ]
 
 [[package]]
@@ -4254,7 +4349,7 @@ dependencies = [
  "portpicker",
  "propolis-client 0.1.0 (git+https://github.com/oxidecomputer/propolis?rev=6dceb9ef69c217cb78a2018bbedafbc19f6ec1af)",
  "propolis-server-config",
- "rand 0.8.5",
+ "rand",
  "regex",
  "reqwest",
  "ron 0.7.1",
@@ -4669,7 +4764,7 @@ checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
 dependencies = [
  "libc",
  "log",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi",
  "windows-sys 0.48.0",
 ]
 
@@ -4682,7 +4777,7 @@ dependencies = [
  "hermit-abi 0.3.9",
  "libc",
  "log",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi",
  "windows-sys 0.52.0",
 ]
 
@@ -4744,7 +4839,7 @@ version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a51313c5820b0b02bd422f4b44776fbf47961755c74ce64afc73bfad10226c3"
 dependencies = [
- "getrandom 0.2.14",
+ "getrandom",
 ]
 
 [[package]]
@@ -4932,7 +5027,7 @@ dependencies = [
  "oxnet",
  "parse-display",
  "pq-sys",
- "rand 0.8.5",
+ "rand",
  "ref-cast",
  "schemars",
  "semver 1.0.23",
@@ -5001,7 +5096,7 @@ dependencies = [
  "pq-sys",
  "predicates",
  "pretty_assertions",
- "rand 0.8.5",
+ "rand",
  "rcgen",
  "ref-cast",
  "regex",
@@ -5035,7 +5130,7 @@ dependencies = [
  "omicron-workspace-hack",
  "once_cell",
  "oxnet",
- "rand 0.8.5",
+ "rand",
  "serde_json",
 ]
 
@@ -5186,7 +5281,7 @@ dependencies = [
  "debug-ignore",
  "expectorate",
  "gateway-client",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "internal-dns",
  "ipnet",
  "maplit",
@@ -5200,7 +5295,7 @@ dependencies = [
  "omicron-workspace-hack",
  "oxnet",
  "proptest",
- "rand 0.8.5",
+ "rand",
  "sled-agent-client",
  "slog",
  "static_assertions",
@@ -5303,6 +5398,7 @@ dependencies = [
  "gateway-messages",
  "gateway-test-utils",
  "headers",
+ "hickory-resolver",
  "http 0.2.12",
  "hyper 0.14.30",
  "illumos-utils",
@@ -5329,7 +5425,6 @@ dependencies = [
  "slog",
  "tokio",
  "tokio-util",
- "trust-dns-resolver",
  "uuid",
 ]
 
@@ -5466,7 +5561,7 @@ checksum = "c165a9ab64cf766f73521c0dd2cfdff64f488b8f0b3e621face3462d3db536d7"
 dependencies = [
  "num-integer",
  "num-traits",
- "rand 0.8.5",
+ "rand",
 ]
 
 [[package]]
@@ -5481,7 +5576,7 @@ dependencies = [
  "num-integer",
  "num-iter",
  "num-traits",
- "rand 0.8.5",
+ "rand",
  "serde",
  "smallvec 1.13.2",
  "zeroize",
@@ -5771,7 +5866,7 @@ dependencies = [
  "progenitor",
  "progenitor-client",
  "proptest",
- "rand 0.8.5",
+ "rand",
  "regress",
  "reqwest",
  "schemars",
@@ -5931,6 +6026,7 @@ dependencies = [
  "gateway-test-utils",
  "headers",
  "hex",
+ "hickory-resolver",
  "http 0.2.12",
  "httptest",
  "hubtools",
@@ -5989,7 +6085,7 @@ dependencies = [
  "pretty_assertions",
  "progenitor-client",
  "propolis-client 0.1.0 (git+https://github.com/oxidecomputer/propolis?rev=24a74d0c76b6a63961ecef76acb1516b6e66c5c9)",
- "rand 0.8.5",
+ "rand",
  "rcgen",
  "ref-cast",
  "regex",
@@ -6023,7 +6119,6 @@ dependencies = [
  "tokio-postgres",
  "tokio-util",
  "tough",
- "trust-dns-resolver",
  "tufaceous",
  "tufaceous-lib",
  "update-common",
@@ -6055,6 +6150,7 @@ dependencies = [
  "indicatif",
  "internal-dns",
  "ipnetwork",
+ "itertools 0.13.0",
  "multimap",
  "nexus-client",
  "nexus-config",
@@ -6135,7 +6231,7 @@ dependencies = [
  "clap",
  "criterion",
  "omicron-workspace-hack",
- "rand 0.8.5",
+ "rand",
  "rust-argon2",
  "schemars",
  "serde",
@@ -6244,7 +6340,7 @@ dependencies = [
  "pretty_assertions",
  "propolis-client 0.1.0 (git+https://github.com/oxidecomputer/propolis?rev=24a74d0c76b6a63961ecef76acb1516b6e66c5c9)",
  "propolis-mock-server",
- "rand 0.8.5",
+ "rand",
  "rcgen",
  "reqwest",
  "schemars",
@@ -6374,13 +6470,14 @@ dependencies = [
  "futures-util",
  "gateway-messages",
  "generic-array",
- "getrandom 0.2.14",
+ "getrandom",
  "group",
  "hashbrown 0.14.5",
  "hex",
+ "hickory-proto",
  "hmac",
  "hyper 0.14.30",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "inout",
  "itertools 0.10.5",
  "itertools 0.12.1",
@@ -6441,7 +6538,6 @@ dependencies = [
  "toml_edit 0.19.15",
  "toml_edit 0.22.20",
  "tracing",
- "trust-dns-proto",
  "unicode-bidi",
  "unicode-normalization",
  "unicode-xid",
@@ -6508,7 +6604,7 @@ version = "0.4.0"
 source = "git+https://github.com/oxidecomputer/openapi-lint?branch=main#ef442ee4343e97b6d9c217d3e7533962fe7d7236"
 dependencies = [
  "heck 0.4.1",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "lazy_static",
  "openapiv3",
  "regex",
@@ -6550,7 +6646,7 @@ version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cc02deea53ffe807708244e5914f6b099ad7015a207ee24317c22112e17d9c5c"
 dependencies = [
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "serde",
  "serde_json",
 ]
@@ -6687,18 +6783,18 @@ dependencies = [
  "base64 0.22.1",
  "chrono",
  "futures",
+ "hickory-resolver",
  "http 0.2.12",
  "hyper 0.14.30",
  "omicron-workspace-hack",
  "progenitor",
- "rand 0.8.5",
+ "rand",
  "regress",
  "reqwest",
  "serde",
  "serde_json",
  "thiserror",
  "tokio",
- "trust-dns-resolver",
  "uuid",
 ]
 
@@ -6786,7 +6882,7 @@ dependencies = [
  "oximeter-api",
  "oximeter-client",
  "oximeter-db",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "schemars",
  "serde",
@@ -6822,7 +6918,7 @@ dependencies = [
  "expectorate",
  "futures",
  "highway",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "itertools 0.13.0",
  "num",
  "omicron-common",
@@ -6869,7 +6965,7 @@ dependencies = [
  "prettyplease",
  "proc-macro2",
  "quote",
- "rand 0.8.5",
+ "rand",
  "rand_distr",
  "regex",
  "rstest",
@@ -6899,7 +6995,7 @@ dependencies = [
  "libc",
  "omicron-workspace-hack",
  "oximeter",
- "rand 0.8.5",
+ "rand",
  "schemars",
  "serde",
  "slog",
@@ -7014,7 +7110,7 @@ dependencies = [
  "ecdsa",
  "elliptic-curve",
  "primeorder",
- "rand_core 0.6.4",
+ "rand_core",
  "sha2",
 ]
 
@@ -7149,7 +7245,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7676374caaee8a325c9e7a2ae557f216c5563a171d6997b0ef8a65af35147700"
 dependencies = [
  "base64ct",
- "rand_core 0.6.4",
+ "rand_core",
  "subtle",
 ]
 
@@ -7160,7 +7256,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
 dependencies = [
  "base64ct",
- "rand_core 0.6.4",
+ "rand_core",
  "subtle",
 ]
 
@@ -7311,7 +7407,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
  "fixedbitset",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "serde",
  "serde_derive",
 ]
@@ -7409,7 +7505,7 @@ checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
 dependencies = [
  "der",
  "pkcs5",
- "rand_core 0.6.4",
+ "rand_core",
  "spki",
 ]
 
@@ -7509,7 +7605,7 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be97d76faf1bfab666e1375477b23fde79eccf0276e9b63b92a39d676a889ba9"
 dependencies = [
- "rand 0.8.5",
+ "rand",
 ]
 
 [[package]]
@@ -7536,7 +7632,7 @@ dependencies = [
  "hmac",
  "md-5",
  "memchr",
- "rand 0.8.5",
+ "rand",
  "sha2",
  "stringprep",
 ]
@@ -7729,7 +7825,7 @@ dependencies = [
  "getopts",
  "heck 0.5.0",
  "http 0.2.12",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "openapiv3",
  "proc-macro2",
  "quote",
@@ -7799,7 +7895,7 @@ dependencies = [
  "base64 0.21.7",
  "futures",
  "progenitor",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "schemars",
  "serde",
@@ -7820,7 +7916,7 @@ dependencies = [
  "base64 0.21.7",
  "futures",
  "progenitor",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "schemars",
  "serde",
@@ -7846,7 +7942,7 @@ dependencies = [
  "hyper 0.14.30",
  "progenitor",
  "propolis_types 0.0.0 (git+https://github.com/oxidecomputer/propolis?rev=24a74d0c76b6a63961ecef76acb1516b6e66c5c9)",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "schemars",
  "serde",
@@ -7903,8 +7999,8 @@ dependencies = [
  "bitflags 2.6.0",
  "lazy_static",
  "num-traits",
- "rand 0.8.5",
- "rand_chacha 0.3.1",
+ "rand",
+ "rand_chacha",
  "rand_xorshift",
  "regex-syntax 0.8.4",
  "rusty-fork",
@@ -7980,19 +8076,6 @@ dependencies = [
  "nibble_vec",
 ]
 
-[[package]]
-name = "rand"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03"
-dependencies = [
- "getrandom 0.1.16",
- "libc",
- "rand_chacha 0.2.2",
- "rand_core 0.5.1",
- "rand_hc",
-]
-
 [[package]]
 name = "rand"
 version = "0.8.5"
@@ -8000,18 +8083,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
  "libc",
- "rand_chacha 0.3.1",
- "rand_core 0.6.4",
-]
-
-[[package]]
-name = "rand_chacha"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402"
-dependencies = [
- "ppv-lite86",
- "rand_core 0.5.1",
+ "rand_chacha",
+ "rand_core",
 ]
 
 [[package]]
@@ -8021,16 +8094,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
 dependencies = [
  "ppv-lite86",
- "rand_core 0.6.4",
-]
-
-[[package]]
-name = "rand_core"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
-dependencies = [
- "getrandom 0.1.16",
+ "rand_core",
 ]
 
 [[package]]
@@ -8039,7 +8103,7 @@ version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
 dependencies = [
- "getrandom 0.2.14",
+ "getrandom",
 ]
 
 [[package]]
@@ -8049,16 +8113,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32cb0b9bc82b0a0876c2dd994a7e7a2683d3e7390ca40e6886785ef0c7e3ee31"
 dependencies = [
  "num-traits",
- "rand 0.8.5",
-]
-
-[[package]]
-name = "rand_hc"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c"
-dependencies = [
- "rand_core 0.5.1",
+ "rand",
 ]
 
 [[package]]
@@ -8067,7 +8122,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4a9febe641d2842ffc76ee962668a17578767c4e01735e4802b21ed9a24b2e4e"
 dependencies = [
- "rand_core 0.6.4",
+ "rand_core",
 ]
 
 [[package]]
@@ -8076,7 +8131,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f"
 dependencies = [
- "rand_core 0.6.4",
+ "rand_core",
 ]
 
 [[package]]
@@ -8145,7 +8200,7 @@ dependencies = [
  "dropshot",
  "expectorate",
  "humantime",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "nexus-client",
  "nexus-db-queries",
  "nexus-reconfigurator-execution",
@@ -8207,7 +8262,7 @@ version = "0.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bd283d9651eeda4b2a83a43c1c91b266c40fd76ecd39a50a8c630ae69dc72891"
 dependencies = [
- "getrandom 0.2.14",
+ "getrandom",
  "libredox",
  "thiserror",
 ]
@@ -8415,7 +8470,7 @@ checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
 dependencies = [
  "cc",
  "cfg-if",
- "getrandom 0.2.14",
+ "getrandom",
  "libc",
  "spin 0.9.8",
  "untrusted 0.9.0",
@@ -8469,7 +8524,7 @@ dependencies = [
  "num-traits",
  "pkcs1",
  "pkcs8",
- "rand_core 0.6.4",
+ "rand_core",
  "serde",
  "sha2",
  "signature",
@@ -8560,8 +8615,8 @@ dependencies = [
  "p384",
  "p521",
  "poly1305",
- "rand 0.8.5",
- "rand_core 0.6.4",
+ "rand",
+ "rand_core",
  "russh-cryptovec",
  "russh-keys",
  "sha1",
@@ -8616,8 +8671,8 @@ dependencies = [
  "pkcs1",
  "pkcs5",
  "pkcs8",
- "rand 0.8.5",
- "rand_core 0.6.4",
+ "rand",
+ "rand_core",
  "rsa",
  "russh-cryptovec",
  "sec1",
@@ -8879,7 +8934,7 @@ dependencies = [
  "openssl-sys",
  "pkg-config",
  "quick-xml",
- "rand 0.8.5",
+ "rand",
  "serde",
  "thiserror",
  "url",
@@ -9119,9 +9174,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.124"
+version = "1.0.125"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66ad62847a56b3dba58cc891acd13884b9c61138d330c0d7b6181713d4fce38d"
+checksum = "83c8e735a073ccf5be70aa8066aa984eaf2fa000db6c8d0100ae605b366d31ed"
 dependencies = [
  "itoa",
  "memchr",
@@ -9170,9 +9225,9 @@ dependencies = [
 
 [[package]]
 name = "serde_tokenstream"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8790a7c3fe883e443eaa2af6f705952bc5d6e8671a220b9335c8cae92c037e74"
+checksum = "64060d864397305347a78851c51588fd283767e7e7589829e8121d65512340f1"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -9202,7 +9257,7 @@ dependencies = [
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "serde",
  "serde_derive",
  "serde_json",
@@ -9228,7 +9283,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "itoa",
  "ryu",
  "serde",
@@ -9329,7 +9384,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
 dependencies = [
  "digest",
- "rand_core 0.6.4",
+ "rand_core",
 ]
 
 [[package]]
@@ -9480,7 +9535,7 @@ dependencies = [
  "omicron-test-utils",
  "omicron-uuid-kinds",
  "omicron-workspace-hack",
- "rand 0.8.5",
+ "rand",
  "schemars",
  "serde",
  "sled-hardware-types",
@@ -9524,7 +9579,7 @@ dependencies = [
  "omicron-test-utils",
  "omicron-uuid-kinds",
  "omicron-workspace-hack",
- "rand 0.8.5",
+ "rand",
  "schemars",
  "serde",
  "serde_json",
@@ -9878,7 +9933,7 @@ dependencies = [
  "p256",
  "p384",
  "p521",
- "rand_core 0.6.4",
+ "rand_core",
  "rsa",
  "sec1",
  "sha2",
@@ -10548,7 +10603,7 @@ dependencies = [
  "pin-project-lite",
  "postgres-protocol",
  "postgres-types",
- "rand 0.8.5",
+ "rand",
  "socket2 0.5.7",
  "tokio",
  "tokio-util",
@@ -10624,15 +10679,6 @@ dependencies = [
  "tokio",
 ]
 
-[[package]]
-name = "toml"
-version = "0.5.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234"
-dependencies = [
- "serde",
-]
-
 [[package]]
 name = "toml"
 version = "0.7.8"
@@ -10672,7 +10718,7 @@ version = "0.19.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b5bb770da30e5cbfde35a2d7b9b8a2c4b8ef89548a7a6aeab5c9a576e3e7421"
 dependencies = [
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "serde",
  "serde_spanned",
  "toml_datetime",
@@ -10685,7 +10731,7 @@ version = "0.22.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d"
 dependencies = [
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "serde",
  "serde_spanned",
  "toml_datetime",
@@ -10805,26 +10851,6 @@ dependencies = [
  "once_cell",
 ]
 
-[[package]]
-name = "trust-dns-client"
-version = "0.22.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c408c32e6a9dbb38037cece35740f2cf23c875d8ca134d33631cec83f74d3fe"
-dependencies = [
- "cfg-if",
- "data-encoding",
- "futures-channel",
- "futures-util",
- "lazy_static",
- "radix_trie",
- "rand 0.8.5",
- "thiserror",
- "time",
- "tokio",
- "tracing",
- "trust-dns-proto",
-]
-
 [[package]]
 name = "trust-dns-proto"
 version = "0.22.0"
@@ -10834,64 +10860,21 @@ dependencies = [
  "async-trait",
  "cfg-if",
  "data-encoding",
- "enum-as-inner",
+ "enum-as-inner 0.5.1",
  "futures-channel",
  "futures-io",
  "futures-util",
  "idna 0.2.3",
  "ipnet",
  "lazy_static",
- "rand 0.8.5",
+ "rand",
  "smallvec 1.13.2",
  "thiserror",
  "tinyvec",
- "tokio",
  "tracing",
  "url",
 ]
 
-[[package]]
-name = "trust-dns-resolver"
-version = "0.22.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aff21aa4dcefb0a1afbfac26deb0adc93888c7d295fb63ab273ef276ba2b7cfe"
-dependencies = [
- "cfg-if",
- "futures-util",
- "ipconfig",
- "lazy_static",
- "lru-cache",
- "parking_lot 0.12.2",
- "resolv-conf",
- "smallvec 1.13.2",
- "thiserror",
- "tokio",
- "tracing",
- "trust-dns-proto",
-]
-
-[[package]]
-name = "trust-dns-server"
-version = "0.22.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99022f9befa6daec2a860be68ac28b1f0d9d7ccf441d8c5a695e35a58d88840d"
-dependencies = [
- "async-trait",
- "bytes",
- "cfg-if",
- "enum-as-inner",
- "futures-executor",
- "futures-util",
- "serde",
- "thiserror",
- "time",
- "tokio",
- "toml 0.5.11",
- "tracing",
- "trust-dns-client",
- "trust-dns-proto",
-]
-
 [[package]]
 name = "try-lock"
 version = "0.2.5"
@@ -10960,7 +10943,7 @@ dependencies = [
  "omicron-test-utils",
  "omicron-workspace-hack",
  "parse-size",
- "rand 0.8.5",
+ "rand",
  "ring 0.17.8",
  "serde",
  "serde_json",
@@ -10997,7 +10980,7 @@ dependencies = [
  "http 0.2.12",
  "httparse",
  "log",
- "rand 0.8.5",
+ "rand",
  "sha1",
  "thiserror",
  "url",
@@ -11016,7 +10999,7 @@ dependencies = [
  "http 1.1.0",
  "httparse",
  "log",
- "rand 0.8.5",
+ "rand",
  "sha1",
  "thiserror",
  "url",
@@ -11030,7 +11013,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97fee6b57c6a41524a810daee9286c02d7752c4253064d0b05472833a438f675"
 dependencies = [
  "cfg-if",
- "rand 0.7.3",
+ "rand",
  "static_assertions",
 ]
 
@@ -11046,8 +11029,8 @@ version = "0.1.0"
 dependencies = [
  "newtype-uuid",
  "omicron-workspace-hack",
- "rand 0.8.5",
- "rand_core 0.6.4",
+ "rand",
+ "rand_core",
  "rand_seeder",
  "uuid",
 ]
@@ -11231,7 +11214,7 @@ dependencies = [
  "omicron-common",
  "omicron-test-utils",
  "omicron-workspace-hack",
- "rand 0.8.5",
+ "rand",
  "sha2",
  "slog",
  "thiserror",
@@ -11257,7 +11240,7 @@ dependencies = [
  "derive-where",
  "either",
  "futures",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "indicatif",
  "libsw",
  "linear-map",
@@ -11371,7 +11354,7 @@ version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314"
 dependencies = [
- "getrandom 0.2.14",
+ "getrandom",
  "serde",
 ]
 
@@ -11439,9 +11422,9 @@ dependencies = [
  "curve25519-dalek",
  "elliptic-curve",
  "hex",
- "rand 0.8.5",
- "rand_chacha 0.3.1",
- "rand_core 0.6.4",
+ "rand",
+ "rand_chacha",
+ "rand_core",
  "serde",
  "subtle",
  "thiserror-no-std",
@@ -11505,12 +11488,6 @@ dependencies = [
  "try-lock",
 ]
 
-[[package]]
-name = "wasi"
-version = "0.9.0+wasi-snapshot-preview1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
-
 [[package]]
 name = "wasi"
 version = "0.11.0+wasi-snapshot-preview1"
@@ -11655,7 +11632,7 @@ dependencies = [
  "expectorate",
  "futures",
  "humantime",
- "indexmap 2.3.0",
+ "indexmap 2.4.0",
  "indicatif",
  "itertools 0.13.0",
  "maplit",
@@ -11764,6 +11741,7 @@ dependencies = [
  "gateway-messages",
  "gateway-test-utils",
  "hex",
+ "hickory-resolver",
  "http 0.2.12",
  "hubtools",
  "hyper 0.14.30",
@@ -11786,7 +11764,7 @@ dependencies = [
  "openapi-lint",
  "openapiv3",
  "oxnet",
- "rand 0.8.5",
+ "rand",
  "reqwest",
  "schemars",
  "serde",
@@ -11803,7 +11781,6 @@ dependencies = [
  "tokio-util",
  "toml 0.8.19",
  "tough",
- "trust-dns-resolver",
  "tufaceous",
  "tufaceous-lib",
  "update-common",
diff --git a/Cargo.toml b/Cargo.toml
index b7cf6f6fd1..2bb189b6c0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -362,6 +362,10 @@ headers = "0.3.9"
 heck = "0.5"
 hex = "0.4.3"
 hex-literal = "0.4.1"
+hickory-client = "0.24.1"
+hickory-proto = "0.24.1"
+hickory-resolver = "0.24.1"
+hickory-server = "0.24.1"
 highway = "1.2.0"
 hkdf = "0.12.4"
 http = "0.2.12"
@@ -373,7 +377,7 @@ hyper-rustls = "0.26.0"
 hyper-staticfile = "0.9.5"
 illumos-utils = { path = "illumos-utils" }
 indent_write = "2.2.0"
-indexmap = "2.3.0"
+indexmap = "2.4.0"
 indicatif = { version = "0.17.8", features = ["rayon"] }
 installinator = { path = "installinator" }
 installinator-api = { path = "installinator-api" }
@@ -507,7 +511,7 @@ secrecy = "0.8.0"
 semver = { version = "1.0.23", features = ["std", "serde"] }
 serde = { version = "1.0", default-features = false, features = [ "derive", "rc" ] }
 serde_human_bytes = { git = "https://github.com/oxidecomputer/serde_human_bytes", branch = "main" }
-serde_json = "1.0.124"
+serde_json = "1.0.125"
 serde_path_to_error = "0.1.16"
 serde_tokenstream = "0.2"
 serde_urlencoded = "0.7.1"
@@ -572,10 +576,6 @@ tokio-util = { version = "0.7.11", features = ["io", "io-util"] }
 toml = "0.8.19"
 toml_edit = "0.22.20"
 tough = { version = "0.17.1", features = [ "http" ] }
-trust-dns-client = "0.22"
-trust-dns-proto = "0.22"
-trust-dns-resolver = "0.22"
-trust-dns-server = "0.22"
 trybuild = "1.0.99"
 tufaceous = { path = "tufaceous" }
 tufaceous-lib = { path = "tufaceous-lib" }
@@ -734,8 +734,6 @@ opt-level = 3
 opt-level = 3
 [profile.dev.package.rand_core]
 opt-level = 3
-[profile.dev.package.rand_hc]
-opt-level = 3
 [profile.dev.package.rand_xorshift]
 opt-level = 3
 [profile.dev.package.rsa]
diff --git a/clients/oxide-client/Cargo.toml b/clients/oxide-client/Cargo.toml
index f2adcacb1b..183640946f 100644
--- a/clients/oxide-client/Cargo.toml
+++ b/clients/oxide-client/Cargo.toml
@@ -12,6 +12,7 @@ anyhow.workspace = true
 base64.workspace = true
 chrono.workspace = true
 futures.workspace = true
+hickory-resolver.workspace = true
 http.workspace = true
 hyper.workspace = true
 progenitor.workspace = true
@@ -22,6 +23,5 @@ serde.workspace = true
 serde_json.workspace = true
 thiserror.workspace = true
 tokio = { workspace = true, features = [ "net" ] }
-trust-dns-resolver.workspace = true
 uuid.workspace = true
 omicron-workspace-hack.workspace = true
diff --git a/clients/oxide-client/src/lib.rs b/clients/oxide-client/src/lib.rs
index 07a190c38e..249ea18146 100644
--- a/clients/oxide-client/src/lib.rs
+++ b/clients/oxide-client/src/lib.rs
@@ -7,13 +7,13 @@
 use anyhow::anyhow;
 use anyhow::Context;
 use futures::FutureExt;
+use hickory_resolver::config::{
+    NameServerConfig, Protocol, ResolverConfig, ResolverOpts,
+};
+use hickory_resolver::TokioAsyncResolver;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use thiserror::Error;
-use trust_dns_resolver::config::{
-    NameServerConfig, Protocol, ResolverConfig, ResolverOpts,
-};
-use trust_dns_resolver::TokioAsyncResolver;
 
 progenitor::generate_api!(
     spec = "../../openapi/nexus.json",
@@ -46,14 +46,15 @@ impl CustomDnsResolver {
             socket_addr: dns_addr,
             protocol: Protocol::Udp,
             tls_dns_name: None,
-            trust_nx_responses: false,
+            trust_negative_responses: false,
             bind_addr: None,
         });
+        let mut resolver_opts = ResolverOpts::default();
+        // Enable edns for potentially larger records
+        resolver_opts.edns0 = true;
 
-        let resolver = Arc::new(
-            TokioAsyncResolver::tokio(resolver_config, ResolverOpts::default())
-                .context("failed to create resolver")?,
-        );
+        let resolver =
+            Arc::new(TokioAsyncResolver::tokio(resolver_config, resolver_opts));
         Ok(CustomDnsResolver { dns_addr, resolver })
     }
 
diff --git a/common/src/address.rs b/common/src/address.rs
index ba1193c7f0..c23f5c41ed 100644
--- a/common/src/address.rs
+++ b/common/src/address.rs
@@ -8,6 +8,7 @@
 //! and Nexus, who need to agree upon addressing schemes.
 
 use crate::api::external::{self, Error};
+use crate::policy::{DNS_REDUNDANCY, MAX_DNS_REDUNDANCY};
 use ipnetwork::Ipv6Network;
 use once_cell::sync::Lazy;
 use oxnet::{Ipv4Net, Ipv6Net};
@@ -25,31 +26,6 @@ pub const MAX_PORT: u16 = u16::MAX;
 /// minimum possible value for a tcp or udp port
 pub const MIN_PORT: u16 = u16::MIN;
 
-/// The amount of redundancy for boundary NTP servers.
-pub const BOUNDARY_NTP_REDUNDANCY: usize = 2;
-
-/// The amount of redundancy for Nexus services.
-///
-/// This is used by both RSS (to distribute the initial set of services) and the
-/// Reconfigurator (to know whether to add new Nexus zones)
-pub const NEXUS_REDUNDANCY: usize = 3;
-
-/// The amount of redundancy for CockroachDb services.
-///
-/// This is used by both RSS (to distribute the initial set of services) and the
-/// Reconfigurator (to know whether to add new crdb zones)
-pub const COCKROACHDB_REDUNDANCY: usize = 5;
-
-/// The amount of redundancy for internal DNS servers.
-///
-/// Must be less than or equal to MAX_DNS_REDUNDANCY.
-pub const DNS_REDUNDANCY: usize = 3;
-
-/// The maximum amount of redundancy for DNS servers.
-///
-/// This determines the number of addresses which are reserved for DNS servers.
-pub const MAX_DNS_REDUNDANCY: usize = 5;
-
 pub const DNS_PORT: u16 = 53;
 pub const DNS_HTTP_PORT: u16 = 5353;
 pub const SLED_AGENT_PORT: u16 = 12345;
diff --git a/common/src/lib.rs b/common/src/lib.rs
index e4f53cbfab..6da32c56ba 100644
--- a/common/src/lib.rs
+++ b/common/src/lib.rs
@@ -26,6 +26,7 @@ pub mod backoff;
 pub mod cmd;
 pub mod disk;
 pub mod ledger;
+pub mod policy;
 pub mod progenitor_operation_retry;
 pub mod update;
 pub mod vlan;
diff --git a/common/src/policy.rs b/common/src/policy.rs
new file mode 100644
index 0000000000..677dbfe2b9
--- /dev/null
+++ b/common/src/policy.rs
@@ -0,0 +1,40 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Fleet policy related functionality used by both Reconfigurator and RSS.
+
+/// The amount of redundancy for boundary NTP servers.
+pub const BOUNDARY_NTP_REDUNDANCY: usize = 2;
+
+/// The amount of redundancy for Nexus services.
+///
+/// This is used by both RSS (to distribute the initial set of services) and the
+/// Reconfigurator (to know whether to add new Nexus zones)
+pub const NEXUS_REDUNDANCY: usize = 3;
+
+/// The amount of redundancy for CockroachDb services.
+///
+/// This is used by both RSS (to distribute the initial set of services) and the
+/// Reconfigurator (to know whether to add new crdb zones)
+pub const COCKROACHDB_REDUNDANCY: usize = 5;
+
+/// The amount of redundancy for internal DNS servers.
+///
+/// Must be less than or equal to MAX_DNS_REDUNDANCY.
+pub const DNS_REDUNDANCY: usize = 3;
+
+/// The maximum amount of redundancy for DNS servers.
+///
+/// This determines the number of addresses which are reserved for DNS servers.
+pub const MAX_DNS_REDUNDANCY: usize = 5;
+
+/// The amount of redundancy for clickhouse servers
+///
+/// Clickhouse servers contain lazily replicated data
+pub const CLICKHOUSE_SERVER_REDUNDANCY: usize = 3;
+
+/// The amount of redundancy for clickhouse keepers
+///
+/// Keepers maintain strongly consistent metadata about data replication
+pub const CLICKHOUSE_KEEPER_REDUNDANCY: usize = 5;
diff --git a/dev-tools/omdb/Cargo.toml b/dev-tools/omdb/Cargo.toml
index 0990fdb11c..a92de1b6a9 100644
--- a/dev-tools/omdb/Cargo.toml
+++ b/dev-tools/omdb/Cargo.toml
@@ -28,6 +28,7 @@ gateway-messages.workspace = true
 gateway-test-utils.workspace = true
 humantime.workspace = true
 internal-dns.workspace = true
+itertools.workspace = true
 nexus-client.workspace = true
 nexus-config.workspace = true
 nexus-db-model.workspace = true
diff --git a/dev-tools/omdb/src/bin/omdb/nexus.rs b/dev-tools/omdb/src/bin/omdb/nexus.rs
index 1b6d2469f4..ede2743404 100644
--- a/dev-tools/omdb/src/bin/omdb/nexus.rs
+++ b/dev-tools/omdb/src/bin/omdb/nexus.rs
@@ -19,6 +19,7 @@ use clap::Subcommand;
 use clap::ValueEnum;
 use futures::future::try_join;
 use futures::TryStreamExt;
+use itertools::Itertools;
 use nexus_client::types::ActivationReason;
 use nexus_client::types::BackgroundTask;
 use nexus_client::types::BackgroundTasksActivateRequest;
@@ -33,6 +34,7 @@ use nexus_saga_recovery::LastPass;
 use nexus_types::deployment::Blueprint;
 use nexus_types::internal_api::background::LookupRegionPortStatus;
 use nexus_types::internal_api::background::RegionReplacementDriverStatus;
+use nexus_types::internal_api::background::RegionSnapshotReplacementGarbageCollectStatus;
 use nexus_types::internal_api::background::RegionSnapshotReplacementStartStatus;
 use nexus_types::inventory::BaseboardId;
 use omicron_uuid_kinds::CollectionUuid;
@@ -46,6 +48,7 @@ use reedline::Reedline;
 use serde::Deserialize;
 use slog_error_chain::InlineErrorChain;
 use std::collections::BTreeMap;
+use std::collections::BTreeSet;
 use std::str::FromStr;
 use tabled::Tabled;
 use uuid::Uuid;
@@ -93,11 +96,21 @@ enum BackgroundTasksCommands {
     /// Print a summary of the status of all background tasks
     List,
     /// Print human-readable summary of the status of each background task
-    Show,
+    Show(BackgroundTasksShowArgs),
     /// Activate one or more background tasks
     Activate(BackgroundTasksActivateArgs),
 }
 
+#[derive(Debug, Args)]
+struct BackgroundTasksShowArgs {
+    /// Names of background tasks to show (default: all)
+    ///
+    /// You can use any background task name here or one of the special strings
+    /// "all", "dns_external", or "dns_internal".
+    #[clap(value_name = "TASK_NAME")]
+    tasks: Vec<String>,
+}
+
 #[derive(Debug, Args)]
 struct BackgroundTasksActivateArgs {
     /// Name of the background tasks to activate
@@ -361,8 +374,8 @@ impl NexusArgs {
                 command: BackgroundTasksCommands::List,
             }) => cmd_nexus_background_tasks_list(&client).await,
             NexusCommands::BackgroundTasks(BackgroundTasksArgs {
-                command: BackgroundTasksCommands::Show,
-            }) => cmd_nexus_background_tasks_show(&client).await,
+                command: BackgroundTasksCommands::Show(args),
+            }) => cmd_nexus_background_tasks_show(&client, args).await,
             NexusCommands::BackgroundTasks(BackgroundTasksArgs {
                 command: BackgroundTasksCommands::Activate(args),
             }) => {
@@ -523,7 +536,9 @@ async fn cmd_nexus_background_tasks_list(
 ) -> Result<(), anyhow::Error> {
     let response =
         client.bgtask_list().await.context("listing background tasks")?;
-    let tasks = response.into_inner();
+    // Convert the HashMap to a BTreeMap because we want the keys in sorted
+    // order.
+    let tasks = response.into_inner().into_iter().collect::<BTreeMap<_, _>>();
     let table_rows = tasks.values().map(BackgroundTaskStatusRow::from);
     let table = tabled::Table::new(table_rows)
         .with(tabled::settings::Style::empty())
@@ -536,6 +551,7 @@ async fn cmd_nexus_background_tasks_list(
 /// Runs `omdb nexus background-tasks show`
 async fn cmd_nexus_background_tasks_show(
     client: &nexus_client::Client,
+    args: &BackgroundTasksShowArgs,
 ) -> Result<(), anyhow::Error> {
     let response =
         client.bgtask_list().await.context("listing background tasks")?;
@@ -544,8 +560,50 @@ async fn cmd_nexus_background_tasks_show(
     let mut tasks =
         response.into_inner().into_iter().collect::<BTreeMap<_, _>>();
 
-    // We want to pick the order that we print some tasks intentionally.  Then
-    // we want to print anything else that we find.
+    // Now, pick out the tasks that the user selected.
+    //
+    // The set of user tasks may include:
+    //
+    // - nothing at all, in which case we include all tasks
+    // - individual task names
+    // - certain groups that we recognize, like "dns_external" for all the tasks
+    //   related to external DNS propagation.  "all" means "all tasks".
+    let selected_set: BTreeSet<_> =
+        args.tasks.iter().map(AsRef::as_ref).collect();
+    let selected_all = selected_set.is_empty() || selected_set.contains("all");
+    if !selected_all {
+        for s in &selected_set {
+            if !tasks.contains_key(*s)
+                && *s != "all"
+                && *s != "dns_external"
+                && *s != "dns_internal"
+            {
+                bail!(
+                    "unknown task name: {:?} (known task names: all, \
+                    dns_external, dns_internal, {})",
+                    s,
+                    tasks.keys().join(", ")
+                );
+            }
+        }
+
+        tasks.retain(|k, _| {
+            selected_set.contains(k.as_str())
+                || selected_set.contains("all")
+                || (selected_set.contains("dns_external")
+                    && k.starts_with("dns_")
+                    && k.ends_with("_external"))
+                || (selected_set.contains("dns_internal")
+                    && k.starts_with("dns_")
+                    && k.ends_with("_internal"))
+        });
+    }
+
+    // Some tasks should be grouped and printed together in a certain order,
+    // even though their names aren't alphabetical.  Notably, the DNS tasks
+    // logically go from config -> servers -> propagation, so we want to print
+    // them in that order.  So we pick these out first and then print anything
+    // else that we find in alphabetical order.
     for name in [
         "dns_config_internal",
         "dns_servers_internal",
@@ -559,7 +617,7 @@ async fn cmd_nexus_background_tasks_show(
     ] {
         if let Some(bgtask) = tasks.remove(name) {
             print_task(&bgtask);
-        } else {
+        } else if selected_all {
             eprintln!("warning: expected to find background task {:?}", name);
         }
     }
@@ -1395,7 +1453,7 @@ fn print_task_details(bgtask: &BackgroundTask, details: &serde_json::Value) {
                 }
             }
         };
-    } else if name == "region_snapshot_replacement" {
+    } else if name == "region_snapshot_replacement_start" {
         match serde_json::from_value::<RegionSnapshotReplacementStartStatus>(
             details.clone(),
         ) {
@@ -1421,6 +1479,31 @@ fn print_task_details(bgtask: &BackgroundTask, details: &serde_json::Value) {
                     println!("    > {line}");
                 }
 
+                println!("    errors: {}", status.errors.len());
+                for line in &status.errors {
+                    println!("    > {line}");
+                }
+            }
+        }
+    } else if name == "region_snapshot_replacement_garbage_collection" {
+        match serde_json::from_value::<
+            RegionSnapshotReplacementGarbageCollectStatus,
+        >(details.clone())
+        {
+            Err(error) => eprintln!(
+                "warning: failed to interpret task details: {:?}: {:?}",
+                error, details
+            ),
+
+            Ok(status) => {
+                println!(
+                    "    total garbage collections requested: {}",
+                    status.garbage_collect_requested.len(),
+                );
+                for line in &status.garbage_collect_requested {
+                    println!("    > {line}");
+                }
+
                 println!("    errors: {}", status.errors.len());
                 for line in &status.errors {
                     println!("    > {line}");
diff --git a/dev-tools/omdb/tests/env.out b/dev-tools/omdb/tests/env.out
index 59d9310b57..ec407cd123 100644
--- a/dev-tools/omdb/tests/env.out
+++ b/dev-tools/omdb/tests/env.out
@@ -127,6 +127,10 @@ task: "region_replacement_driver"
     drive region replacements forward to completion
 
 
+task: "region_snapshot_replacement_garbage_collection"
+    clean up all region snapshot replacement step volumes
+
+
 task: "region_snapshot_replacement_start"
     detect if region snapshots need replacement and begin the process
 
@@ -280,6 +284,10 @@ task: "region_replacement_driver"
     drive region replacements forward to completion
 
 
+task: "region_snapshot_replacement_garbage_collection"
+    clean up all region snapshot replacement step volumes
+
+
 task: "region_snapshot_replacement_start"
     detect if region snapshots need replacement and begin the process
 
@@ -420,6 +428,10 @@ task: "region_replacement_driver"
     drive region replacements forward to completion
 
 
+task: "region_snapshot_replacement_garbage_collection"
+    clean up all region snapshot replacement step volumes
+
+
 task: "region_snapshot_replacement_start"
     detect if region snapshots need replacement and begin the process
 
diff --git a/dev-tools/omdb/tests/successes.out b/dev-tools/omdb/tests/successes.out
index 166936da9c..9d432525c3 100644
--- a/dev-tools/omdb/tests/successes.out
+++ b/dev-tools/omdb/tests/successes.out
@@ -328,6 +328,10 @@ task: "region_replacement_driver"
     drive region replacements forward to completion
 
 
+task: "region_snapshot_replacement_garbage_collection"
+    clean up all region snapshot replacement step volumes
+
+
 task: "region_snapshot_replacement_start"
     detect if region snapshots need replacement and begin the process
 
@@ -570,12 +574,430 @@ task: "region_replacement_driver"
     number of region replacement finish sagas started ok: 0
     number of errors: 0
 
+task: "region_snapshot_replacement_garbage_collection"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total garbage collections requested: 0
+    errors: 0
+
+task: "region_snapshot_replacement_start"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total requests created ok: 0
+    total start saga invoked ok: 0
+    errors: 0
+
+task: "saga_recovery"
+  configured period: every 10m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    since Nexus started:
+        sagas recovered:           0
+        sagas recovery errors:     0
+        sagas observed started:    0
+        sagas inferred finished:   0
+        missing from SEC:          0
+        bad state in SEC:          0
+    last pass:
+        found sagas:   0 (in-progress, assigned to this Nexus)
+        recovered:     0 (successfully)
+        failed:        0
+        skipped:       0 (already running)
+        removed:       0 (newly finished)
+    no recovered sagas
+    no saga recovery failures
+
+task: "service_firewall_rule_propagation"
+  configured period: every 5m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+
+task: "service_zone_nat_tracker"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: inventory collection is None
+
+task: "switch_port_config_manager"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "switch_port_config_manager" (don't know how to interpret details: Object {})
+
+task: "v2p_manager"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "v2p_manager" (don't know how to interpret details: Object {})
+
+task: "vpc_route_manager"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "vpc_route_manager" (don't know how to interpret details: Object {})
+
+---------------------------------------------
+stderr:
+note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
+=============================================
+EXECUTING COMMAND: omdb ["nexus", "background-tasks", "show", "saga_recovery"]
+termination: Exited(0)
+---------------------------------------------
+stdout:
+task: "saga_recovery"
+  configured period: every 10m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    since Nexus started:
+        sagas recovered:           0
+        sagas recovery errors:     0
+        sagas observed started:    0
+        sagas inferred finished:   0
+        missing from SEC:          0
+        bad state in SEC:          0
+    last pass:
+        found sagas:   0 (in-progress, assigned to this Nexus)
+        recovered:     0 (successfully)
+        failed:        0
+        skipped:       0 (already running)
+        removed:       0 (newly finished)
+    no recovered sagas
+    no saga recovery failures
+
+---------------------------------------------
+stderr:
+note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
+=============================================
+EXECUTING COMMAND: omdb ["nexus", "background-tasks", "show", "blueprint_loader", "blueprint_executor"]
+termination: Exited(0)
+---------------------------------------------
+stdout:
+task: "blueprint_loader"
+  configured period: every 1m <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: failed to read target blueprint: Internal Error: no target blueprint set
+
+task: "blueprint_executor"
+  configured period: every 10m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: no blueprint
+
+---------------------------------------------
+stderr:
+note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
+=============================================
+EXECUTING COMMAND: omdb ["nexus", "background-tasks", "show", "dns_internal"]
+termination: Exited(0)
+---------------------------------------------
+stdout:
+task: "dns_config_internal"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last generation found: 1
+
+task: "dns_servers_internal"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    servers found: 1
+
+      DNS_SERVER_ADDR 
+      [::1]:REDACTED_PORT     
+
+task: "dns_propagation_internal"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a dependent task completing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    attempt to propagate generation: 1
+
+      DNS_SERVER_ADDR LAST_RESULT 
+      [::1]:REDACTED_PORT     success     
+
+
+---------------------------------------------
+stderr:
+note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
+=============================================
+EXECUTING COMMAND: omdb ["nexus", "background-tasks", "show", "dns_external"]
+termination: Exited(0)
+---------------------------------------------
+stdout:
+task: "dns_config_external"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last generation found: 2
+
+task: "dns_servers_external"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    servers found: 1
+
+      DNS_SERVER_ADDR 
+      [::1]:REDACTED_PORT     
+
+task: "dns_propagation_external"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a dependent task completing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    attempt to propagate generation: 2
+
+      DNS_SERVER_ADDR LAST_RESULT 
+      [::1]:REDACTED_PORT     success     
+
+
+---------------------------------------------
+stderr:
+note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
+=============================================
+EXECUTING COMMAND: omdb ["nexus", "background-tasks", "show", "all"]
+termination: Exited(0)
+---------------------------------------------
+stdout:
+task: "dns_config_internal"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last generation found: 1
+
+task: "dns_servers_internal"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    servers found: 1
+
+      DNS_SERVER_ADDR 
+      [::1]:REDACTED_PORT     
+
+task: "dns_propagation_internal"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a dependent task completing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    attempt to propagate generation: 1
+
+      DNS_SERVER_ADDR LAST_RESULT 
+      [::1]:REDACTED_PORT     success     
+
+
+task: "dns_config_external"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last generation found: 2
+
+task: "dns_servers_external"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    servers found: 1
+
+      DNS_SERVER_ADDR 
+      [::1]:REDACTED_PORT     
+
+task: "dns_propagation_external"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a dependent task completing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    attempt to propagate generation: 2
+
+      DNS_SERVER_ADDR LAST_RESULT 
+      [::1]:REDACTED_PORT     success     
+
+
+task: "nat_v4_garbage_collector"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: failed to resolve addresses for Dendrite services: no record found for Query { name: Name("_dendrite._tcp.control-plane.oxide.internal."), query_type: SRV, query_class: IN }
+
+task: "blueprint_loader"
+  configured period: every 1m <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: failed to read target blueprint: Internal Error: no target blueprint set
+
+task: "blueprint_executor"
+  configured period: every 10m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: no blueprint
+
+task: "abandoned_vmm_reaper"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total abandoned VMMs found: 0
+      VMM records deleted: 0
+      VMM records already deleted by another Nexus: 0
+    sled resource reservations deleted: 0
+
+task: "bfd_manager"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: failed to resolve addresses for Dendrite services: no record found for Query { name: Name("_dendrite._tcp.control-plane.oxide.internal."), query_type: SRV, query_class: IN }
+
+task: "crdb_node_id_collector"
+  configured period: every 10m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: no blueprint
+
+task: "decommissioned_disk_cleaner"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "decommissioned_disk_cleaner" (don't know how to interpret details: Object {"deleted": Number(0), "error": Null, "error_count": Number(0), "found": Number(0), "not_ready_to_be_deleted": Number(0)})
+
+task: "external_endpoints"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    external API endpoints: 2 ('*' below marks default)
+
+          SILO_ID                              DNS_NAME                           
+          ..........<REDACTED_UUID>........... default-silo.sys.oxide-dev.test    
+        * ..........<REDACTED_UUID>........... test-suite-silo.sys.oxide-dev.test 
+
+    warnings: 2
+        warning: silo ..........<REDACTED_UUID>........... with DNS name "default-silo.sys.oxide-dev.test" has no usable certificates
+        warning: silo ..........<REDACTED_UUID>........... with DNS name "test-suite-silo.sys.oxide-dev.test" has no usable certificates
+
+    TLS certificates: 0
+
+task: "instance_updater"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total instances in need of updates: 0
+      instances with destroyed active VMMs: 0
+      instances with terminated active migrations: 0
+    update sagas started: 0
+    update sagas completed successfully: 0
+
+task: "instance_watcher"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total instances checked: 0
+    checks completed: 0
+       successful checks: 0
+       update sagas queued: 0
+       failed checks: 0
+    checks that could not be completed: 0
+    stale instance metrics pruned: 0
+
+task: "inventory_collection"
+  configured period: every 10m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last collection id:      ..........<REDACTED_UUID>...........
+    last collection started: <REDACTED_TIMESTAMP>
+    last collection done:    <REDACTED_TIMESTAMP>
+
+task: "lookup_region_port"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total filled in ports: 0
+    errors: 0
+
+task: "metrics_producer_gc"
+  configured period: every 1m
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "metrics_producer_gc" (don't know how to interpret details: Object {"expiration": String("<REDACTED           TIMESTAMP>"), "pruned": Array []})
+
+task: "phantom_disks"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    number of phantom disks deleted: 0
+    number of phantom disk delete errors: 0
+
+task: "physical_disk_adoption"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a dependent task completing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    last completion reported error: task disabled
+
+task: "region_replacement"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    number of region replacements started ok: 0
+    number of region replacement start errors: 0
+
+task: "region_replacement_driver"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    number of region replacement drive sagas started ok: 0
+    number of region replacement finish sagas started ok: 0
+    number of errors: 0
+
+task: "region_snapshot_replacement_garbage_collection"
+  configured period: every <REDACTED_DURATION>s
+  currently executing: no
+  last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+    total garbage collections requested: 0
+    errors: 0
+
 task: "region_snapshot_replacement_start"
   configured period: every <REDACTED_DURATION>s
   currently executing: no
   last completed activation: <REDACTED ITERATIONS>, triggered by a periodic timer firing
     started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
-warning: unknown background task: "region_snapshot_replacement_start" (don't know how to interpret details: Object {"errors": Array [], "requests_created_ok": Array [], "start_invoked_ok": Array []})
+    total requests created ok: 0
+    total start saga invoked ok: 0
+    errors: 0
 
 task: "saga_recovery"
   configured period: every 10m
diff --git a/dev-tools/omdb/tests/test_all_output.rs b/dev-tools/omdb/tests/test_all_output.rs
index d0258aeaed..45492c14ce 100644
--- a/dev-tools/omdb/tests/test_all_output.rs
+++ b/dev-tools/omdb/tests/test_all_output.rs
@@ -80,6 +80,7 @@ async fn test_omdb_usage_errors() {
         &["mgs"],
         &["nexus"],
         &["nexus", "background-tasks"],
+        &["nexus", "background-tasks", "show", "--help"],
         &["nexus", "blueprints"],
         &["nexus", "sagas"],
         // Missing "--destructive" flag.  The URL is bogus but just ensures that
@@ -144,6 +145,19 @@ async fn test_omdb_success_cases(cptestctx: &ControlPlaneTestContext) {
         &["mgs", "inventory"],
         &["nexus", "background-tasks", "doc"],
         &["nexus", "background-tasks", "show"],
+        // background tasks: test picking out specific names
+        &["nexus", "background-tasks", "show", "saga_recovery"],
+        &[
+            "nexus",
+            "background-tasks",
+            "show",
+            "blueprint_loader",
+            "blueprint_executor",
+        ],
+        // background tasks: test recognized group names
+        &["nexus", "background-tasks", "show", "dns_internal"],
+        &["nexus", "background-tasks", "show", "dns_external"],
+        &["nexus", "background-tasks", "show", "all"],
         &["nexus", "sagas", "list"],
         &["--destructive", "nexus", "sagas", "demo-create"],
         &["nexus", "sagas", "list"],
diff --git a/dev-tools/omdb/tests/usage_errors.out b/dev-tools/omdb/tests/usage_errors.out
index 1ee07410bf..55781136b6 100644
--- a/dev-tools/omdb/tests/usage_errors.out
+++ b/dev-tools/omdb/tests/usage_errors.out
@@ -491,6 +491,46 @@ Connection Options:
 Safety Options:
   -w, --destructive  Allow potentially-destructive subcommands
 =============================================
+EXECUTING COMMAND: omdb ["nexus", "background-tasks", "show", "--help"]
+termination: Exited(0)
+---------------------------------------------
+stdout:
+Print human-readable summary of the status of each background task
+
+Usage: omdb nexus background-tasks show [OPTIONS] [TASK_NAME]...
+
+Arguments:
+  [TASK_NAME]...
+          Names of background tasks to show (default: all)
+          
+          You can use any background task name here or one of the special strings "all",
+          "dns_external", or "dns_internal".
+
+Options:
+      --log-level <LOG_LEVEL>
+          log level filter
+          
+          [env: LOG_LEVEL=]
+          [default: warn]
+
+  -h, --help
+          Print help (see a summary with '-h')
+
+Connection Options:
+      --nexus-internal-url <NEXUS_INTERNAL_URL>
+          URL of the Nexus internal API
+          
+          [env: OMDB_NEXUS_URL=]
+
+      --dns-server <DNS_SERVER>
+          [env: OMDB_DNS_SERVER=]
+
+Safety Options:
+  -w, --destructive
+          Allow potentially-destructive subcommands
+---------------------------------------------
+stderr:
+=============================================
 EXECUTING COMMAND: omdb ["nexus", "blueprints"]
 termination: Exited(2)
 ---------------------------------------------
diff --git a/dns-server/Cargo.toml b/dns-server/Cargo.toml
index d11dabaf85..b4516b8b77 100644
--- a/dns-server/Cargo.toml
+++ b/dns-server/Cargo.toml
@@ -15,24 +15,24 @@ clap.workspace = true
 dns-server-api.workspace = true
 dns-service-client.workspace = true
 dropshot.workspace = true
+hickory-client.workspace = true
+hickory-proto.workspace = true
+hickory-resolver.workspace = true
+hickory-server.workspace = true
 http.workspace = true
 pretty-hex.workspace = true
 schemars.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 sled.workspace = true
-slog.workspace = true
-slog-term.workspace = true
 slog-async.workspace = true
 slog-envlogger.workspace = true
+slog-term.workspace = true
+slog.workspace = true
 tempfile.workspace = true
 thiserror.workspace = true
 tokio = { workspace = true, features = [ "full" ] }
 toml.workspace = true
-trust-dns-client.workspace = true
-trust-dns-proto.workspace = true
-trust-dns-resolver.workspace = true
-trust-dns-server.workspace = true
 uuid.workspace = true
 omicron-workspace-hack.workspace = true
 
@@ -44,4 +44,3 @@ openapiv3.workspace = true
 openapi-lint.workspace = true
 serde_json.workspace = true
 subprocess.workspace = true
-trust-dns-resolver.workspace = true
diff --git a/dns-server/src/bin/dns-server.rs b/dns-server/src/bin/dns-server.rs
index 52a9c17c0d..9e8d098ee2 100644
--- a/dns-server/src/bin/dns-server.rs
+++ b/dns-server/src/bin/dns-server.rs
@@ -3,7 +3,7 @@
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
 //! Executable that starts the HTTP-configurable DNS server used for both
-//! internal DNS (RFD 248) and extenral DNS (RFD 357) for the Oxide system
+//! internal DNS (RFD 248) and external DNS (RFD 357) for the Oxide system
 
 use anyhow::anyhow;
 use anyhow::Context;
diff --git a/dns-server/src/dns_server.rs b/dns-server/src/dns_server.rs
index 5c761f2aa3..4ecbe382c8 100644
--- a/dns-server/src/dns_server.rs
+++ b/dns-server/src/dns_server.rs
@@ -13,6 +13,19 @@ use crate::storage::Store;
 use anyhow::anyhow;
 use anyhow::Context;
 use dns_server_api::DnsRecord;
+use hickory_proto::op::Header;
+use hickory_proto::op::ResponseCode;
+use hickory_proto::rr::rdata::SRV;
+use hickory_proto::rr::RData;
+use hickory_proto::rr::Record;
+use hickory_proto::rr::RecordType;
+use hickory_proto::serialize::binary::BinDecodable;
+use hickory_proto::serialize::binary::BinDecoder;
+use hickory_proto::serialize::binary::BinEncoder;
+use hickory_resolver::Name;
+use hickory_server::authority::MessageRequest;
+use hickory_server::authority::MessageResponse;
+use hickory_server::authority::MessageResponseBuilder;
 use pretty_hex::*;
 use serde::Deserialize;
 use slog::{debug, error, info, o, trace, Logger};
@@ -21,17 +34,6 @@ use std::str::FromStr;
 use std::sync::Arc;
 use thiserror::Error;
 use tokio::net::UdpSocket;
-use trust_dns_proto::op::header::Header;
-use trust_dns_proto::op::response_code::ResponseCode;
-use trust_dns_proto::rr::rdata::SRV;
-use trust_dns_proto::rr::record_data::RData;
-use trust_dns_proto::rr::record_type::RecordType;
-use trust_dns_proto::rr::{Name, Record};
-use trust_dns_proto::serialize::binary::{
-    BinDecodable, BinDecoder, BinEncoder,
-};
-use trust_dns_server::authority::MessageResponse;
-use trust_dns_server::authority::{MessageRequest, MessageResponseBuilder};
 use uuid::Uuid;
 
 /// Configuration related to the DNS server
@@ -167,7 +169,10 @@ async fn handle_dns_packet(request: Request) {
         Err(error) => {
             let header = Header::response_from_request(mr.header());
             let rb_servfail = MessageResponseBuilder::from_message_request(&mr);
-            error!(log, "failed to handle incoming DNS message: {:#}", error);
+            error!(
+                log,
+                "failed to handle incoming DNS message: {:#?} {:#}", mr, error
+            );
             match error {
                 RequestError::NxDomain(_) => {
                     let rb_nxdomain =
@@ -222,7 +227,7 @@ fn dns_record_to_record(
             let mut a = Record::new();
             a.set_name(name.clone())
                 .set_rr_type(RecordType::A)
-                .set_data(Some(RData::A(addr)));
+                .set_data(Some(RData::A(addr.into())));
             Ok(a)
         }
 
@@ -230,7 +235,7 @@ fn dns_record_to_record(
             let mut aaaa = Record::new();
             aaaa.set_name(name.clone())
                 .set_rr_type(RecordType::AAAA)
-                .set_data(Some(RData::AAAA(addr)));
+                .set_data(Some(RData::AAAA(addr.into())));
             Ok(aaaa)
         }
 
diff --git a/dns-server/src/lib.rs b/dns-server/src/lib.rs
index 424159e41d..8abd3b945e 100644
--- a/dns-server/src/lib.rs
+++ b/dns-server/src/lib.rs
@@ -47,13 +47,13 @@ pub mod http_server;
 pub mod storage;
 
 use anyhow::{anyhow, Context};
+use hickory_resolver::config::NameServerConfig;
+use hickory_resolver::config::Protocol;
+use hickory_resolver::config::ResolverConfig;
+use hickory_resolver::config::ResolverOpts;
+use hickory_resolver::TokioAsyncResolver;
 use slog::o;
 use std::net::SocketAddr;
-use trust_dns_resolver::config::NameServerConfig;
-use trust_dns_resolver::config::Protocol;
-use trust_dns_resolver::config::ResolverConfig;
-use trust_dns_resolver::config::ResolverOpts;
-use trust_dns_resolver::TokioAsyncResolver;
 
 /// Starts both the HTTP and DNS servers over a given store.
 pub async fn start_servers(
@@ -167,12 +167,14 @@ impl TransientServer {
             socket_addr: self.dns_server.local_address(),
             protocol: Protocol::Udp,
             tls_dns_name: None,
-            trust_nx_responses: false,
+            trust_negative_responses: false,
             bind_addr: None,
         });
+        let mut resolver_opts = ResolverOpts::default();
+        // Enable edns for potentially larger records
+        resolver_opts.edns0 = true;
         let resolver =
-            TokioAsyncResolver::tokio(resolver_config, ResolverOpts::default())
-                .context("creating DNS resolver")?;
+            TokioAsyncResolver::tokio(resolver_config, resolver_opts);
         Ok(resolver)
     }
 }
diff --git a/dns-server/src/storage.rs b/dns-server/src/storage.rs
index 85b2e79b8b..b3141f6751 100644
--- a/dns-server/src/storage.rs
+++ b/dns-server/src/storage.rs
@@ -95,6 +95,8 @@
 use anyhow::{anyhow, Context};
 use camino::Utf8PathBuf;
 use dns_server_api::{DnsConfig, DnsConfigParams, DnsConfigZone, DnsRecord};
+use hickory_proto::rr::LowerName;
+use hickory_resolver::Name;
 use serde::{Deserialize, Serialize};
 use sled::transaction::ConflictableTransactionError;
 use slog::{debug, error, info, o, warn};
@@ -104,8 +106,6 @@ use std::sync::atomic::Ordering;
 use std::sync::Arc;
 use thiserror::Error;
 use tokio::sync::Mutex;
-use trust_dns_client::rr::LowerName;
-use trust_dns_client::rr::Name;
 
 const KEY_CONFIG: &'static str = "config";
 
@@ -586,7 +586,7 @@ impl Store {
     /// If the returned set would have been empty, returns `QueryError::NoName`.
     pub(crate) fn query(
         &self,
-        mr: &trust_dns_server::authority::MessageRequest,
+        mr: &hickory_server::authority::MessageRequest,
     ) -> Result<Vec<DnsRecord>, QueryError> {
         let name = mr.query().name();
         let orig_name = mr.query().original().name();
@@ -784,14 +784,14 @@ mod test {
     use dns_server_api::DnsConfigParams;
     use dns_server_api::DnsConfigZone;
     use dns_server_api::DnsRecord;
+    use hickory_proto::rr::LowerName;
+    use hickory_resolver::Name;
     use omicron_test_utils::dev::test_setup_log;
     use std::collections::BTreeSet;
     use std::collections::HashMap;
     use std::net::Ipv6Addr;
     use std::str::FromStr;
     use std::sync::Arc;
-    use trust_dns_client::rr::LowerName;
-    use trust_dns_client::rr::Name;
 
     /// As usual, `TestContext` groups the various pieces we need in a bunch of
     /// our tests and helps make sure they get cleaned up properly.
diff --git a/dns-server/tests/basic_test.rs b/dns-server/tests/basic_test.rs
index b3b7f37378..fa5bfea468 100644
--- a/dns-server/tests/basic_test.rs
+++ b/dns-server/tests/basic_test.rs
@@ -9,6 +9,12 @@ use dns_service_client::{
     Client,
 };
 use dropshot::{test_util::LogContext, HandlerTaskMode};
+use hickory_resolver::error::ResolveErrorKind;
+use hickory_resolver::TokioAsyncResolver;
+use hickory_resolver::{
+    config::{NameServerConfig, Protocol, ResolverConfig, ResolverOpts},
+    proto::op::ResponseCode,
+};
 use omicron_test_utils::dev::test_setup_log;
 use slog::o;
 use std::{
@@ -16,12 +22,6 @@ use std::{
     net::Ipv6Addr,
     net::{IpAddr, Ipv4Addr},
 };
-use trust_dns_resolver::error::ResolveErrorKind;
-use trust_dns_resolver::TokioAsyncResolver;
-use trust_dns_resolver::{
-    config::{NameServerConfig, Protocol, ResolverConfig, ResolverOpts},
-    proto::op::ResponseCode,
-};
 
 const TEST_ZONE: &'static str = "oxide.internal";
 
@@ -374,17 +374,19 @@ async fn init_client_server(
     )
     .await?;
 
-    let mut rc = ResolverConfig::new();
-    rc.add_name_server(NameServerConfig {
+    let mut resolver_config = ResolverConfig::new();
+    resolver_config.add_name_server(NameServerConfig {
         socket_addr: dns_server.local_address(),
         protocol: Protocol::Udp,
         tls_dns_name: None,
-        trust_nx_responses: false,
+        trust_negative_responses: false,
         bind_addr: None,
     });
+    let mut resolver_opts = ResolverOpts::default();
+    // Enable edns for potentially larger records
+    resolver_opts.edns0 = true;
 
-    let resolver =
-        TokioAsyncResolver::tokio(rc, ResolverOpts::default()).unwrap();
+    let resolver = TokioAsyncResolver::tokio(resolver_config, resolver_opts);
     let client =
         Client::new(&format!("http://{}", dropshot_server.local_addr()), log);
 
diff --git a/end-to-end-tests/Cargo.toml b/end-to-end-tests/Cargo.toml
index 781f3fb1c6..b2400f7603 100644
--- a/end-to-end-tests/Cargo.toml
+++ b/end-to-end-tests/Cargo.toml
@@ -26,7 +26,7 @@ serde_json.workspace = true
 sled-agent-types.workspace = true
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 toml.workspace = true
-trust-dns-resolver.workspace = true
+hickory-resolver.workspace = true
 uuid.workspace = true
 omicron-workspace-hack.workspace = true
 ispf.workspace = true
diff --git a/end-to-end-tests/src/helpers/ctx.rs b/end-to-end-tests/src/helpers/ctx.rs
index d9a2d7027a..5363557502 100644
--- a/end-to-end-tests/src/helpers/ctx.rs
+++ b/end-to-end-tests/src/helpers/ctx.rs
@@ -1,6 +1,7 @@
 use crate::helpers::generate_name;
 use anyhow::{anyhow, Context as _, Result};
 use chrono::Utc;
+use hickory_resolver::error::ResolveErrorKind;
 use omicron_test_utils::dev::poll::{wait_for_condition, CondCheckError};
 use oxide_client::types::{Name, ProjectCreate};
 use oxide_client::CustomDnsResolver;
@@ -13,7 +14,6 @@ use std::net::IpAddr;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
-use trust_dns_resolver::error::ResolveErrorKind;
 use uuid::Uuid;
 
 const RSS_CONFIG_STR: &str = include_str!(concat!(
diff --git a/installinator/Cargo.toml b/installinator/Cargo.toml
index 00dfb6440b..0d59950a2a 100644
--- a/installinator/Cargo.toml
+++ b/installinator/Cargo.toml
@@ -13,6 +13,7 @@ async-trait.workspace = true
 buf-list.workspace = true
 bytes.workspace = true
 camino.workspace = true
+camino-tempfile.workspace = true
 cancel-safe-futures.workspace = true
 clap.workspace = true
 display-error-chain.workspace = true
@@ -37,7 +38,6 @@ slog-async.workspace = true
 slog-envlogger.workspace = true
 slog-term.workspace = true
 smf.workspace = true
-tempfile.workspace = true
 thiserror.workspace = true
 tokio = { workspace = true, features = ["full"] }
 tufaceous-lib.workspace = true
@@ -50,7 +50,6 @@ omicron-test-utils.workspace = true
 hex-literal.workspace = true
 partial-io.workspace = true
 proptest.workspace = true
-tempfile.workspace = true
 test-strategy.workspace = true
 tokio = { workspace = true, features = ["test-util"] }
 tokio-stream.workspace = true
diff --git a/installinator/src/async_temp_file.rs b/installinator/src/async_temp_file.rs
index c884908ac8..168fffa2aa 100644
--- a/installinator/src/async_temp_file.rs
+++ b/installinator/src/async_temp_file.rs
@@ -3,13 +3,13 @@
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
 use camino::Utf8PathBuf;
+use camino_tempfile::NamedUtf8TempFile;
+use camino_tempfile::Utf8PathPersistError;
+use camino_tempfile::Utf8TempPath;
 use std::io;
 use std::pin::Pin;
 use std::task::Context;
 use std::task::Poll;
-use tempfile::NamedTempFile;
-use tempfile::PathPersistError;
-use tempfile::TempPath;
 use tokio::fs::File;
 use tokio::io::AsyncWrite;
 
@@ -18,7 +18,7 @@ pub(crate) struct AsyncNamedTempFile {
     // in our `persist()` method below. This allows us to drop the temp path
     // (deleting the temporary file) if we're dropped before `persist()` is
     // called.
-    temp_path: Option<TempPath>,
+    temp_path: Option<Utf8TempPath>,
     destination: Utf8PathBuf,
     inner: File,
 }
@@ -41,7 +41,7 @@ impl AsyncNamedTempFile {
             .to_owned();
 
         let temp_file =
-            tokio::task::spawn_blocking(|| NamedTempFile::new_in(parent))
+            tokio::task::spawn_blocking(|| NamedUtf8TempFile::new_in(parent))
                 .await
                 .unwrap()?;
         let temp_path = temp_file.into_temp_path();
@@ -62,7 +62,7 @@ impl AsyncNamedTempFile {
         tokio::task::spawn_blocking(move || temp_path.persist(&destination))
             .await
             .unwrap()
-            .map_err(|PathPersistError { error, .. }| error)
+            .map_err(|Utf8PathPersistError { error, .. }| error)
     }
 }
 
diff --git a/installinator/src/write.rs b/installinator/src/write.rs
index fdc83cffa2..583c5a7b51 100644
--- a/installinator/src/write.rs
+++ b/installinator/src/write.rs
@@ -918,6 +918,7 @@ mod tests {
     use anyhow::Result;
     use bytes::{Buf, Bytes};
     use camino::Utf8Path;
+    use camino_tempfile::tempdir;
     use futures::StreamExt;
     use installinator_common::{
         Event, InstallinatorCompletionMetadata, InstallinatorComponent,
@@ -934,7 +935,6 @@ mod tests {
         PartialAsyncWrite, PartialOp,
     };
     use proptest::prelude::*;
-    use tempfile::tempdir;
     use test_strategy::proptest;
     use tokio::io::AsyncReadExt;
     use tokio::sync::Mutex;
@@ -1032,7 +1032,7 @@ mod tests {
     ) -> Result<()> {
         let logctx = test_setup_log("test_write_artifact");
         let tempdir = tempdir()?;
-        let tempdir_path: &Utf8Path = tempdir.path().try_into()?;
+        let tempdir_path = tempdir.path();
 
         let destination_host = tempdir_path.join("test-host.bin");
         let destination_control_plane =
diff --git a/internal-dns-cli/Cargo.toml b/internal-dns-cli/Cargo.toml
index dae0af0280..3e34c21622 100644
--- a/internal-dns-cli/Cargo.toml
+++ b/internal-dns-cli/Cargo.toml
@@ -11,9 +11,9 @@ workspace = true
 anyhow.workspace = true
 clap.workspace = true
 dropshot.workspace = true
+hickory-resolver.workspace = true
 internal-dns.workspace = true
 omicron-common.workspace = true
 slog.workspace = true
 tokio.workspace = true
-trust-dns-resolver.workspace = true
 omicron-workspace-hack.workspace = true
diff --git a/internal-dns-cli/src/bin/dnswait.rs b/internal-dns-cli/src/bin/dnswait.rs
index 7cf6584084..deddc699b2 100644
--- a/internal-dns-cli/src/bin/dnswait.rs
+++ b/internal-dns-cli/src/bin/dnswait.rs
@@ -70,10 +70,8 @@ async fn main() -> Result<()> {
 
     let resolver = if opt.nameserver_addresses.is_empty() {
         info!(&log, "using system configuration");
-        let async_resolver =
-            trust_dns_resolver::AsyncResolver::tokio_from_system_conf()
-                .context("initializing resolver from system configuration")?;
-        Resolver::new_with_resolver(log.clone(), async_resolver)
+        Resolver::new_from_system_conf(log.clone())
+            .context("initializing resolver from system configuration")?
     } else {
         let addrs = opt.nameserver_addresses;
         info!(&log, "using explicit nameservers"; "nameservers" => ?addrs);
diff --git a/internal-dns/Cargo.toml b/internal-dns/Cargo.toml
index c08cc012c1..c12035e2cb 100644
--- a/internal-dns/Cargo.toml
+++ b/internal-dns/Cargo.toml
@@ -18,7 +18,7 @@ omicron-uuid-kinds.workspace = true
 reqwest = { workspace = true, features = ["rustls-tls", "stream"] }
 slog.workspace = true
 thiserror.workspace = true
-trust-dns-resolver.workspace = true
+hickory-resolver.workspace = true
 uuid.workspace = true
 omicron-workspace-hack.workspace = true
 
diff --git a/internal-dns/src/resolver.rs b/internal-dns/src/resolver.rs
index fdd5dce428..b3dadf16d2 100644
--- a/internal-dns/src/resolver.rs
+++ b/internal-dns/src/resolver.rs
@@ -2,24 +2,24 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
+use hickory_resolver::config::{
+    LookupIpStrategy, NameServerConfig, Protocol, ResolverConfig, ResolverOpts,
+};
+use hickory_resolver::lookup::SrvLookup;
+use hickory_resolver::TokioAsyncResolver;
 use hyper::client::connect::dns::Name;
 use omicron_common::address::{
     Ipv6Subnet, ReservedRackSubnet, AZ_PREFIX, DNS_PORT,
 };
 use slog::{debug, error, info, trace};
 use std::net::{IpAddr, Ipv6Addr, SocketAddr, SocketAddrV6};
-use trust_dns_resolver::config::{
-    LookupIpStrategy, NameServerConfig, Protocol, ResolverConfig, ResolverOpts,
-};
-use trust_dns_resolver::lookup::SrvLookup;
-use trust_dns_resolver::TokioAsyncResolver;
 
 pub type DnsError = dns_service_client::Error<dns_service_client::types::Error>;
 
 #[derive(Debug, Clone, thiserror::Error)]
 pub enum ResolveError {
     #[error(transparent)]
-    Resolve(#[from] trust_dns_resolver::error::ResolveError),
+    Resolve(#[from] hickory_resolver::error::ResolveError),
 
     #[error("Record not found for SRV key: {}", .0.dns_name())]
     NotFound(crate::ServiceName),
@@ -52,6 +52,19 @@ impl reqwest::dns::Resolve for Resolver {
 }
 
 impl Resolver {
+    /// Construct a new DNS resolver from the system configuration.
+    pub fn new_from_system_conf(
+        log: slog::Logger,
+    ) -> Result<Self, ResolveError> {
+        let (rc, mut opts) = hickory_resolver::system_conf::read_system_conf()?;
+        // Enable edns for potentially larger records
+        opts.edns0 = true;
+
+        let resolver = TokioAsyncResolver::tokio(rc, opts);
+
+        Ok(Self { log, resolver })
+    }
+
     /// Construct a new DNS resolver from specific DNS server addresses.
     pub fn new_from_addrs(
         log: slog::Logger,
@@ -66,18 +79,20 @@ impl Resolver {
                 socket_addr,
                 protocol: Protocol::Udp,
                 tls_dns_name: None,
-                trust_nx_responses: false,
+                trust_negative_responses: false,
                 bind_addr: None,
             });
         }
         let mut opts = ResolverOpts::default();
+        // Enable edns for potentially larger records
+        opts.edns0 = true;
         opts.use_hosts_file = false;
         opts.num_concurrent_reqs = dns_server_count;
         // The underlay is IPv6 only, so this helps avoid needless lookups of
         // the IPv4 variant.
         opts.ip_strategy = LookupIpStrategy::Ipv6Only;
         opts.negative_max_ttl = Some(std::time::Duration::from_secs(15));
-        let resolver = TokioAsyncResolver::tokio(rc, opts)?;
+        let resolver = TokioAsyncResolver::tokio(rc, opts);
 
         Ok(Self { log, resolver })
     }
@@ -163,7 +178,7 @@ impl Resolver {
             .iter()
             .next()
             .ok_or_else(|| ResolveError::NotFound(srv))?;
-        Ok(*address)
+        Ok(address.0)
     }
 
     /// Returns the targets of the SRV records for a DNS name
@@ -313,7 +328,7 @@ impl Resolver {
     //   (1) it returns `IpAddr`'s rather than `SocketAddr`'s
     //   (2) it doesn't actually return all the addresses from the Additional
     //       section of the DNS server's response.
-    //       See bluejekyll/trust-dns#1980
+    //       See hickory-dns/hickory-dns#1980
     //
     // (1) is not a huge deal as we can try to match up the targets ourselves
     // to grab the port for creating a `SocketAddr` but (2) means we need to do
@@ -350,10 +365,9 @@ impl Resolver {
             .await
             .into_iter()
             .flat_map(move |target| match target {
-                Ok((ips, port)) => Some(
-                    ips.into_iter()
-                        .map(move |ip| SocketAddrV6::new(ip, port, 0, 0)),
-                ),
+                Ok((ips, port)) => Some(ips.into_iter().map(move |aaaa| {
+                    SocketAddrV6::new(aaaa.into(), port, 0, 0)
+                })),
                 Err((target, err)) => {
                     error!(
                         log,
@@ -511,7 +525,7 @@ mod test {
         assert!(
             matches!(
                 dns_error.kind(),
-                trust_dns_resolver::error::ResolveErrorKind::NoRecordsFound { .. },
+                hickory_resolver::error::ResolveErrorKind::NoRecordsFound { .. },
             ),
             "Saw error: {dns_error}",
         );
@@ -664,7 +678,7 @@ mod test {
             error,
             ResolveError::Resolve(error)
                 if matches!(error.kind(),
-                    trust_dns_resolver::error::ResolveErrorKind::NoRecordsFound { .. }
+                    hickory_resolver::error::ResolveErrorKind::NoRecordsFound { .. }
                 )
         );
 
diff --git a/nexus-config/src/nexus_config.rs b/nexus-config/src/nexus_config.rs
index b222ebd23b..f6e60bb558 100644
--- a/nexus-config/src/nexus_config.rs
+++ b/nexus-config/src/nexus_config.rs
@@ -393,6 +393,9 @@ pub struct BackgroundTaskConfig {
     pub lookup_region_port: LookupRegionPortConfig,
     /// configuration for region snapshot replacement starter task
     pub region_snapshot_replacement_start: RegionSnapshotReplacementStartConfig,
+    /// configuration for region snapshot replacement garbage collection
+    pub region_snapshot_replacement_garbage_collection:
+        RegionSnapshotReplacementGarbageCollectionConfig,
 }
 
 #[serde_as]
@@ -637,6 +640,14 @@ pub struct RegionSnapshotReplacementStartConfig {
     pub period_secs: Duration,
 }
 
+#[serde_as]
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
+pub struct RegionSnapshotReplacementGarbageCollectionConfig {
+    /// period (in seconds) for periodic activations of this background task
+    #[serde_as(as = "DurationSeconds<u64>")]
+    pub period_secs: Duration,
+}
+
 /// Configuration for a nexus server
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 pub struct PackageConfig {
@@ -885,6 +896,7 @@ mod test {
             saga_recovery.period_secs = 60
             lookup_region_port.period_secs = 60
             region_snapshot_replacement_start.period_secs = 30
+            region_snapshot_replacement_garbage_collection.period_secs = 30
             [default_region_allocation_strategy]
             type = "random"
             seed = 0
@@ -1051,6 +1063,10 @@ mod test {
                             RegionSnapshotReplacementStartConfig {
                                 period_secs: Duration::from_secs(30),
                             },
+                        region_snapshot_replacement_garbage_collection:
+                            RegionSnapshotReplacementGarbageCollectionConfig {
+                                period_secs: Duration::from_secs(30),
+                            },
                     },
                     default_region_allocation_strategy:
                         crate::nexus_config::RegionAllocationStrategy::Random {
@@ -1128,6 +1144,7 @@ mod test {
             saga_recovery.period_secs = 60
             lookup_region_port.period_secs = 60
             region_snapshot_replacement_start.period_secs = 30
+            region_snapshot_replacement_garbage_collection.period_secs = 30
             [default_region_allocation_strategy]
             type = "random"
             "##,
diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
index 1128cd8f0f..8977507505 100644
--- a/nexus/Cargo.toml
+++ b/nexus/Cargo.toml
@@ -35,6 +35,7 @@ futures.workspace = true
 gateway-client.workspace = true
 headers.workspace = true
 hex.workspace = true
+hickory-resolver.workspace = true
 http.workspace = true
 hyper.workspace = true
 illumos-utils.workspace = true
@@ -87,7 +88,6 @@ tokio = { workspace = true, features = ["full"] }
 tokio-postgres = { workspace = true, features = ["with-serde_json-1"] }
 tokio-util = { workspace = true, features = ["codec"] }
 tough.workspace = true
-trust-dns-resolver.workspace = true
 uuid.workspace = true
 
 nexus-auth.workspace = true
@@ -143,7 +143,7 @@ sp-sim.workspace = true
 rustls.workspace = true
 subprocess.workspace = true
 term.workspace = true
-trust-dns-resolver.workspace = true
+hickory-resolver.workspace = true
 tufaceous.workspace = true
 tufaceous-lib.workspace = true
 httptest.workspace = true
diff --git a/nexus/examples/config-second.toml b/nexus/examples/config-second.toml
index 572de807d7..c87e1255b5 100644
--- a/nexus/examples/config-second.toml
+++ b/nexus/examples/config-second.toml
@@ -140,6 +140,7 @@ abandoned_vmm_reaper.period_secs = 60
 saga_recovery.period_secs = 600
 lookup_region_port.period_secs = 60
 region_snapshot_replacement_start.period_secs = 30
+region_snapshot_replacement_garbage_collection.period_secs = 30
 
 [default_region_allocation_strategy]
 # allocate region on 3 random distinct zpools, on 3 random distinct sleds.
diff --git a/nexus/examples/config.toml b/nexus/examples/config.toml
index 3aebe35152..f844adccbe 100644
--- a/nexus/examples/config.toml
+++ b/nexus/examples/config.toml
@@ -126,6 +126,7 @@ abandoned_vmm_reaper.period_secs = 60
 saga_recovery.period_secs = 600
 lookup_region_port.period_secs = 60
 region_snapshot_replacement_start.period_secs = 30
+region_snapshot_replacement_garbage_collection.period_secs = 30
 
 [default_region_allocation_strategy]
 # allocate region on 3 random distinct zpools, on 3 random distinct sleds.
diff --git a/nexus/reconfigurator/execution/src/dns.rs b/nexus/reconfigurator/execution/src/dns.rs
index 885ffa67d1..846d19ead3 100644
--- a/nexus/reconfigurator/execution/src/dns.rs
+++ b/nexus/reconfigurator/execution/src/dns.rs
@@ -502,13 +502,13 @@ mod test {
     use omicron_common::address::get_switch_zone_address;
     use omicron_common::address::IpRange;
     use omicron_common::address::Ipv6Subnet;
-    use omicron_common::address::BOUNDARY_NTP_REDUNDANCY;
-    use omicron_common::address::COCKROACHDB_REDUNDANCY;
-    use omicron_common::address::NEXUS_REDUNDANCY;
     use omicron_common::address::RACK_PREFIX;
     use omicron_common::address::SLED_PREFIX;
     use omicron_common::api::external::Generation;
     use omicron_common::api::external::IdentityMetadataCreateParams;
+    use omicron_common::policy::BOUNDARY_NTP_REDUNDANCY;
+    use omicron_common::policy::COCKROACHDB_REDUNDANCY;
+    use omicron_common::policy::NEXUS_REDUNDANCY;
     use omicron_common::zpool_name::ZpoolName;
     use omicron_test_utils::dev::test_setup_log;
     use omicron_uuid_kinds::ExternalIpUuid;
diff --git a/nexus/reconfigurator/planning/src/system.rs b/nexus/reconfigurator/planning/src/system.rs
index f6989be9ef..7298db7a73 100644
--- a/nexus/reconfigurator/planning/src/system.rs
+++ b/nexus/reconfigurator/planning/src/system.rs
@@ -33,13 +33,13 @@ use nexus_types::inventory::SpType;
 use omicron_common::address::get_sled_address;
 use omicron_common::address::IpRange;
 use omicron_common::address::Ipv6Subnet;
-use omicron_common::address::NEXUS_REDUNDANCY;
 use omicron_common::address::RACK_PREFIX;
 use omicron_common::address::SLED_PREFIX;
 use omicron_common::api::external::ByteCount;
 use omicron_common::api::external::Generation;
 use omicron_common::disk::DiskIdentity;
 use omicron_common::disk::DiskVariant;
+use omicron_common::policy::NEXUS_REDUNDANCY;
 use omicron_uuid_kinds::GenericUuid;
 use omicron_uuid_kinds::PhysicalDiskUuid;
 use omicron_uuid_kinds::SledUuid;
@@ -328,6 +328,7 @@ impl SystemDescription {
             target_cockroachdb_zone_count: self.target_cockroachdb_zone_count,
             target_cockroachdb_cluster_version: self
                 .target_cockroachdb_cluster_version,
+            clickhouse_policy: None,
         };
         let mut builder = PlanningInputBuilder::new(
             policy,
diff --git a/nexus/reconfigurator/preparation/src/lib.rs b/nexus/reconfigurator/preparation/src/lib.rs
index e0ba0f10ba..fc0e4638f8 100644
--- a/nexus/reconfigurator/preparation/src/lib.rs
+++ b/nexus/reconfigurator/preparation/src/lib.rs
@@ -33,13 +33,13 @@ use nexus_types::identity::Resource;
 use nexus_types::inventory::Collection;
 use omicron_common::address::IpRange;
 use omicron_common::address::Ipv6Subnet;
-use omicron_common::address::BOUNDARY_NTP_REDUNDANCY;
-use omicron_common::address::COCKROACHDB_REDUNDANCY;
-use omicron_common::address::NEXUS_REDUNDANCY;
 use omicron_common::address::SLED_PREFIX;
 use omicron_common::api::external::Error;
 use omicron_common::api::external::LookupType;
 use omicron_common::disk::DiskIdentity;
+use omicron_common::policy::BOUNDARY_NTP_REDUNDANCY;
+use omicron_common::policy::COCKROACHDB_REDUNDANCY;
+use omicron_common::policy::NEXUS_REDUNDANCY;
 use omicron_uuid_kinds::GenericUuid;
 use omicron_uuid_kinds::OmicronZoneUuid;
 use omicron_uuid_kinds::PhysicalDiskUuid;
@@ -82,6 +82,7 @@ impl PlanningInputFromDb<'_> {
             target_cockroachdb_zone_count: self.target_cockroachdb_zone_count,
             target_cockroachdb_cluster_version: self
                 .target_cockroachdb_cluster_version,
+            clickhouse_policy: None,
         };
         let mut builder = PlanningInputBuilder::new(
             policy,
diff --git a/nexus/src/app/background/init.rs b/nexus/src/app/background/init.rs
index cc42a8f302..6bd805a491 100644
--- a/nexus/src/app/background/init.rs
+++ b/nexus/src/app/background/init.rs
@@ -108,6 +108,7 @@ use super::tasks::phantom_disks;
 use super::tasks::physical_disk_adoption;
 use super::tasks::region_replacement;
 use super::tasks::region_replacement_driver;
+use super::tasks::region_snapshot_replacement_garbage_collect::*;
 use super::tasks::region_snapshot_replacement_start::*;
 use super::tasks::saga_recovery;
 use super::tasks::service_firewall_rules;
@@ -163,6 +164,7 @@ pub struct BackgroundTasks {
     pub task_saga_recovery: Activator,
     pub task_lookup_region_port: Activator,
     pub task_region_snapshot_replacement_start: Activator,
+    pub task_region_snapshot_replacement_garbage_collection: Activator,
 
     // Handles to activate background tasks that do not get used by Nexus
     // at-large.  These background tasks are implementation details as far as
@@ -245,6 +247,8 @@ impl BackgroundTasksInitializer {
             task_saga_recovery: Activator::new(),
             task_lookup_region_port: Activator::new(),
             task_region_snapshot_replacement_start: Activator::new(),
+            task_region_snapshot_replacement_garbage_collection: Activator::new(
+            ),
 
             task_internal_dns_propagation: Activator::new(),
             task_external_dns_propagation: Activator::new(),
@@ -307,6 +311,7 @@ impl BackgroundTasksInitializer {
             task_saga_recovery,
             task_lookup_region_port,
             task_region_snapshot_replacement_start,
+            task_region_snapshot_replacement_garbage_collection,
             // Add new background tasks here.  Be sure to use this binding in a
             // call to `Driver::register()` below.  That's what actually wires
             // up the Activator to the corresponding background task.
@@ -739,7 +744,7 @@ impl BackgroundTasksInitializer {
                 process",
             period: config.region_snapshot_replacement_start.period_secs,
             task_impl: Box::new(RegionSnapshotReplacementDetector::new(
-                datastore,
+                datastore.clone(),
                 sagas.clone(),
             )),
             opctx: opctx.child(BTreeMap::new()),
@@ -747,6 +752,22 @@ impl BackgroundTasksInitializer {
             activator: task_region_snapshot_replacement_start,
         });
 
+        driver.register(TaskDefinition {
+            name: "region_snapshot_replacement_garbage_collection",
+            description:
+                "clean up all region snapshot replacement step volumes",
+            period: config
+                .region_snapshot_replacement_garbage_collection
+                .period_secs,
+            task_impl: Box::new(RegionSnapshotReplacementGarbageCollect::new(
+                datastore,
+                sagas.clone(),
+            )),
+            opctx: opctx.child(BTreeMap::new()),
+            watchers: vec![],
+            activator: task_region_snapshot_replacement_garbage_collection,
+        });
+
         driver
     }
 }
diff --git a/nexus/src/app/background/tasks/mod.rs b/nexus/src/app/background/tasks/mod.rs
index b0281afd9f..7ba68d0b80 100644
--- a/nexus/src/app/background/tasks/mod.rs
+++ b/nexus/src/app/background/tasks/mod.rs
@@ -25,6 +25,7 @@ pub mod phantom_disks;
 pub mod physical_disk_adoption;
 pub mod region_replacement;
 pub mod region_replacement_driver;
+pub mod region_snapshot_replacement_garbage_collect;
 pub mod region_snapshot_replacement_start;
 pub mod saga_recovery;
 pub mod service_firewall_rules;
diff --git a/nexus/src/app/background/tasks/region_snapshot_replacement_garbage_collect.rs b/nexus/src/app/background/tasks/region_snapshot_replacement_garbage_collect.rs
new file mode 100644
index 0000000000..4c66c166ff
--- /dev/null
+++ b/nexus/src/app/background/tasks/region_snapshot_replacement_garbage_collect.rs
@@ -0,0 +1,265 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Background task for deleting volumes that stash a replaced region snapshot
+
+use crate::app::authn;
+use crate::app::background::BackgroundTask;
+use crate::app::saga::StartSaga;
+use crate::app::sagas;
+use crate::app::sagas::region_snapshot_replacement_garbage_collect::*;
+use crate::app::sagas::NexusSaga;
+use futures::future::BoxFuture;
+use futures::FutureExt;
+use nexus_db_model::RegionSnapshotReplacement;
+use nexus_db_queries::context::OpContext;
+use nexus_db_queries::db::DataStore;
+use nexus_types::internal_api::background::RegionSnapshotReplacementGarbageCollectStatus;
+use serde_json::json;
+use std::sync::Arc;
+
+pub struct RegionSnapshotReplacementGarbageCollect {
+    datastore: Arc<DataStore>,
+    sagas: Arc<dyn StartSaga>,
+}
+
+impl RegionSnapshotReplacementGarbageCollect {
+    pub fn new(datastore: Arc<DataStore>, sagas: Arc<dyn StartSaga>) -> Self {
+        RegionSnapshotReplacementGarbageCollect { datastore, sagas }
+    }
+
+    async fn send_garbage_collect_request(
+        &self,
+        opctx: &OpContext,
+        request: RegionSnapshotReplacement,
+    ) -> Result<(), omicron_common::api::external::Error> {
+        let Some(old_snapshot_volume_id) = request.old_snapshot_volume_id
+        else {
+            // This state is illegal!
+            let s = format!(
+                "request {} old snapshot volume id is None!",
+                request.id,
+            );
+
+            return Err(omicron_common::api::external::Error::internal_error(
+                &s,
+            ));
+        };
+
+        let params =
+            sagas::region_snapshot_replacement_garbage_collect::Params {
+                serialized_authn: authn::saga::Serialized::for_opctx(opctx),
+                old_snapshot_volume_id,
+                request,
+            };
+
+        let saga_dag =
+            SagaRegionSnapshotReplacementGarbageCollect::prepare(&params)?;
+        self.sagas.saga_start(saga_dag).await
+    }
+
+    async fn clean_up_region_snapshot_replacement_volumes(
+        &self,
+        opctx: &OpContext,
+        status: &mut RegionSnapshotReplacementGarbageCollectStatus,
+    ) {
+        let log = &opctx.log;
+
+        let requests = match self
+            .datastore
+            .get_replacement_done_region_snapshot_replacements(opctx)
+            .await
+        {
+            Ok(requests) => requests,
+
+            Err(e) => {
+                let s = format!("querying for requests to collect failed! {e}");
+                error!(&log, "{s}");
+                status.errors.push(s);
+                return;
+            }
+        };
+
+        for request in requests {
+            let request_id = request.id;
+
+            let result =
+                self.send_garbage_collect_request(opctx, request.clone()).await;
+
+            match result {
+                Ok(()) => {
+                    let s = format!(
+                        "region snapshot replacement garbage collect request \
+                        ok for {request_id}"
+                    );
+
+                    info!(
+                        &log,
+                        "{s}";
+                        "request.snapshot_id" => %request.old_snapshot_id,
+                        "request.region_id" => %request.old_region_id,
+                        "request.dataset_id" => %request.old_dataset_id,
+                    );
+                    status.garbage_collect_requested.push(s);
+                }
+
+                Err(e) => {
+                    let s = format!(
+                        "sending region snapshot replacement garbage collect \
+                        request failed: {e}",
+                    );
+                    error!(
+                        &log,
+                        "{s}";
+                        "request.snapshot_id" => %request.old_snapshot_id,
+                        "request.region_id" => %request.old_region_id,
+                        "request.dataset_id" => %request.old_dataset_id,
+                    );
+                    status.errors.push(s);
+                }
+            }
+        }
+    }
+}
+
+impl BackgroundTask for RegionSnapshotReplacementGarbageCollect {
+    fn activate<'a>(
+        &'a mut self,
+        opctx: &'a OpContext,
+    ) -> BoxFuture<'a, serde_json::Value> {
+        async move {
+            let log = &opctx.log;
+            info!(
+                &log,
+                "region snapshot replacement garbage collect task started",
+            );
+
+            let mut status =
+                RegionSnapshotReplacementGarbageCollectStatus::default();
+
+            self.clean_up_region_snapshot_replacement_volumes(
+                opctx,
+                &mut status,
+            )
+            .await;
+
+            info!(
+                &log,
+                "region snapshot replacement garbage collect task done"
+            );
+
+            json!(status)
+        }
+        .boxed()
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use crate::app::background::init::test::NoopStartSaga;
+    use nexus_db_model::RegionSnapshotReplacement;
+    use nexus_db_model::RegionSnapshotReplacementState;
+    use nexus_test_utils_macros::nexus_test;
+    use uuid::Uuid;
+
+    type ControlPlaneTestContext =
+        nexus_test_utils::ControlPlaneTestContext<crate::Server>;
+
+    #[nexus_test(server = crate::Server)]
+    async fn test_region_snapshot_replacement_garbage_collect_task(
+        cptestctx: &ControlPlaneTestContext,
+    ) {
+        let nexus = &cptestctx.server.server_context().nexus;
+        let datastore = nexus.datastore();
+        let opctx = OpContext::for_tests(
+            cptestctx.logctx.log.clone(),
+            datastore.clone(),
+        );
+
+        let starter = Arc::new(NoopStartSaga::new());
+        let mut task = RegionSnapshotReplacementGarbageCollect::new(
+            datastore.clone(),
+            starter.clone(),
+        );
+
+        // Noop test
+        let result: RegionSnapshotReplacementGarbageCollectStatus =
+            serde_json::from_value(task.activate(&opctx).await).unwrap();
+        assert_eq!(
+            result,
+            RegionSnapshotReplacementGarbageCollectStatus::default()
+        );
+        assert_eq!(starter.count_reset(), 0);
+
+        // Add two region snapshot requests that need garbage collection
+
+        let mut request = RegionSnapshotReplacement::new(
+            Uuid::new_v4(),
+            Uuid::new_v4(),
+            Uuid::new_v4(),
+        );
+        request.replacement_state =
+            RegionSnapshotReplacementState::ReplacementDone;
+        request.old_snapshot_volume_id = Some(Uuid::new_v4());
+
+        let request_1_id = request.id;
+
+        datastore
+            .insert_region_snapshot_replacement_request_with_volume_id(
+                &opctx,
+                request,
+                Uuid::new_v4(),
+            )
+            .await
+            .unwrap();
+
+        let mut request = RegionSnapshotReplacement::new(
+            Uuid::new_v4(),
+            Uuid::new_v4(),
+            Uuid::new_v4(),
+        );
+        request.replacement_state =
+            RegionSnapshotReplacementState::ReplacementDone;
+        request.old_snapshot_volume_id = Some(Uuid::new_v4());
+
+        let request_2_id = request.id;
+
+        datastore
+            .insert_region_snapshot_replacement_request_with_volume_id(
+                &opctx,
+                request,
+                Uuid::new_v4(),
+            )
+            .await
+            .unwrap();
+
+        // Activate the task - it should pick up the two requests
+
+        let result: RegionSnapshotReplacementGarbageCollectStatus =
+            serde_json::from_value(task.activate(&opctx).await).unwrap();
+
+        for error in &result.errors {
+            eprintln!("{error}");
+        }
+
+        assert_eq!(result.garbage_collect_requested.len(), 2);
+
+        let s = format!(
+            "region snapshot replacement garbage collect request ok for \
+            {request_1_id}"
+        );
+        assert!(result.garbage_collect_requested.contains(&s));
+
+        let s = format!(
+            "region snapshot replacement garbage collect request ok for \
+            {request_2_id}"
+        );
+        assert!(result.garbage_collect_requested.contains(&s));
+
+        assert_eq!(result.errors.len(), 0);
+
+        assert_eq!(starter.count_reset(), 2);
+    }
+}
diff --git a/nexus/src/app/deployment.rs b/nexus/src/app/deployment.rs
index e9095cc991..50ae332d3f 100644
--- a/nexus/src/app/deployment.rs
+++ b/nexus/src/app/deployment.rs
@@ -17,9 +17,6 @@ use nexus_types::deployment::CockroachDbClusterVersion;
 use nexus_types::deployment::PlanningInput;
 use nexus_types::deployment::SledFilter;
 use nexus_types::inventory::Collection;
-use omicron_common::address::BOUNDARY_NTP_REDUNDANCY;
-use omicron_common::address::COCKROACHDB_REDUNDANCY;
-use omicron_common::address::NEXUS_REDUNDANCY;
 use omicron_common::api::external::CreateResult;
 use omicron_common::api::external::DataPageParams;
 use omicron_common::api::external::DeleteResult;
@@ -28,6 +25,9 @@ use omicron_common::api::external::InternalContext;
 use omicron_common::api::external::ListResultVec;
 use omicron_common::api::external::LookupResult;
 use omicron_common::api::external::LookupType;
+use omicron_common::policy::BOUNDARY_NTP_REDUNDANCY;
+use omicron_common::policy::COCKROACHDB_REDUNDANCY;
+use omicron_common::policy::NEXUS_REDUNDANCY;
 use slog_error_chain::InlineErrorChain;
 use uuid::Uuid;
 
diff --git a/nexus/src/app/external_dns.rs b/nexus/src/app/external_dns.rs
index c6a8d833c2..4732146ce2 100644
--- a/nexus/src/app/external_dns.rs
+++ b/nexus/src/app/external_dns.rs
@@ -5,15 +5,15 @@
 use std::net::IpAddr;
 use std::net::SocketAddr;
 
+use hickory_resolver::config::NameServerConfig;
+use hickory_resolver::config::Protocol;
+use hickory_resolver::config::ResolverConfig;
+use hickory_resolver::config::ResolverOpts;
+use hickory_resolver::TokioAsyncResolver;
 use hyper::client::connect::dns::Name;
 use omicron_common::address::DNS_PORT;
-use trust_dns_resolver::config::NameServerConfig;
-use trust_dns_resolver::config::Protocol;
-use trust_dns_resolver::config::ResolverConfig;
-use trust_dns_resolver::config::ResolverOpts;
-use trust_dns_resolver::TokioAsyncResolver;
 
-/// Wrapper around trust-dns-resolver to provide name resolution
+/// Wrapper around hickory-resolver to provide name resolution
 /// using a given set of DNS servers for use with reqwest.
 pub struct Resolver(TokioAsyncResolver);
 
@@ -26,18 +26,17 @@ impl Resolver {
                 socket_addr: SocketAddr::new(*addr, DNS_PORT),
                 protocol: Protocol::Udp,
                 tls_dns_name: None,
-                trust_nx_responses: false,
+                trust_negative_responses: false,
                 bind_addr: None,
             });
         }
         let mut opts = ResolverOpts::default();
+        // Enable edns for potentially larger records
+        opts.edns0 = true;
         opts.use_hosts_file = false;
         // Do as many requests in parallel as we have configured servers
         opts.num_concurrent_reqs = dns_servers.len();
-        Resolver(
-            TokioAsyncResolver::tokio(rc, opts)
-                .expect("creating resovler shouldn't fail"),
-        )
+        Resolver(TokioAsyncResolver::tokio(rc, opts))
     }
 }
 
@@ -48,7 +47,7 @@ impl reqwest::dns::Resolve for Resolver {
             let ips = resolver.lookup_ip(name.as_str()).await?;
             let addrs = ips
                 .into_iter()
-                // trust-dns-resolver returns `IpAddr`s but reqwest wants
+                // hickory-resolver returns `IpAddr`s but reqwest wants
                 // `SocketAddr`s (useful if you have a custom resolver that
                 // returns a scoped IPv6 address). The port provided here
                 // is ignored in favour of the scheme default (http/80,
diff --git a/nexus/src/app/sagas/mod.rs b/nexus/src/app/sagas/mod.rs
index 471118a5cb..926b983460 100644
--- a/nexus/src/app/sagas/mod.rs
+++ b/nexus/src/app/sagas/mod.rs
@@ -39,6 +39,7 @@ pub mod project_create;
 pub mod region_replacement_drive;
 pub mod region_replacement_finish;
 pub mod region_replacement_start;
+pub mod region_snapshot_replacement_garbage_collect;
 pub mod region_snapshot_replacement_start;
 pub mod snapshot_create;
 pub mod snapshot_delete;
@@ -194,6 +195,9 @@ fn make_action_registry() -> ActionRegistry {
     <region_snapshot_replacement_start::SagaRegionSnapshotReplacementStart as NexusSaga>::register_actions(
         &mut registry,
     );
+    <region_snapshot_replacement_garbage_collect::SagaRegionSnapshotReplacementGarbageCollect as NexusSaga>::register_actions(
+        &mut registry,
+    );
 
     #[cfg(test)]
     <test_saga::SagaTest as NexusSaga>::register_actions(&mut registry);
diff --git a/nexus/src/app/sagas/region_snapshot_replacement_garbage_collect.rs b/nexus/src/app/sagas/region_snapshot_replacement_garbage_collect.rs
new file mode 100644
index 0000000000..e3c5143a68
--- /dev/null
+++ b/nexus/src/app/sagas/region_snapshot_replacement_garbage_collect.rs
@@ -0,0 +1,326 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Clean up the volume that stashes the target replaced during the region
+//! snapshot replacement start saga. After that's done, change the region
+//! snapshot replacement state to Running. This saga handles the following
+//! region snapshot replacement request state transitions:
+//!
+//! ```text
+//!    ReplacementDone  <--
+//!                       |
+//!          |            |
+//!          v            |
+//!                       |
+//!  DeletingOldVolume  --
+//!
+//!          |
+//!          v
+//!
+//!       Running
+//! ```
+//!
+//! See the documentation for the "region snapshot replacement step" saga for
+//! the next step(s) in the process.
+
+use super::{
+    ActionRegistry, NexusActionContext, NexusSaga, SagaInitError,
+    ACTION_GENERATE_ID,
+};
+use crate::app::sagas::declare_saga_actions;
+use crate::app::sagas::volume_delete;
+use crate::app::{authn, db};
+use serde::Deserialize;
+use serde::Serialize;
+use steno::ActionError;
+use steno::Node;
+use uuid::Uuid;
+
+// region snapshot replacement garbage collect saga: input parameters
+
+#[derive(Debug, Deserialize, Serialize)]
+pub(crate) struct Params {
+    pub serialized_authn: authn::saga::Serialized,
+    /// The fake volume created for the snapshot that was replaced
+    // Note: this is only required in the params to build the volume-delete sub
+    // saga
+    pub old_snapshot_volume_id: Uuid,
+    pub request: db::model::RegionSnapshotReplacement,
+}
+
+// region snapshot replacement garbage collect saga: actions
+
+declare_saga_actions! {
+    region_snapshot_replacement_garbage_collect;
+    SET_SAGA_ID -> "unused_1" {
+        + rsrgs_set_saga_id
+        - rsrgs_set_saga_id_undo
+    }
+    UPDATE_REQUEST_RECORD -> "unused_2" {
+        + rsrgs_update_request_record
+    }
+}
+
+// region snapshot replacement garbage collect saga: definition
+
+#[derive(Debug)]
+pub(crate) struct SagaRegionSnapshotReplacementGarbageCollect;
+impl NexusSaga for SagaRegionSnapshotReplacementGarbageCollect {
+    const NAME: &'static str = "region-snapshot-replacement-garbage-collect";
+    type Params = Params;
+
+    fn register_actions(registry: &mut ActionRegistry) {
+        region_snapshot_replacement_garbage_collect_register_actions(registry);
+    }
+
+    fn make_saga_dag(
+        params: &Self::Params,
+        mut builder: steno::DagBuilder,
+    ) -> Result<steno::Dag, SagaInitError> {
+        builder.append(Node::action(
+            "saga_id",
+            "GenerateSagaId",
+            ACTION_GENERATE_ID.as_ref(),
+        ));
+
+        builder.append(set_saga_id_action());
+
+        let subsaga_params = volume_delete::Params {
+            serialized_authn: params.serialized_authn.clone(),
+            volume_id: params.old_snapshot_volume_id,
+        };
+
+        let subsaga_dag = {
+            let subsaga_builder = steno::DagBuilder::new(steno::SagaName::new(
+                volume_delete::SagaVolumeDelete::NAME,
+            ));
+            volume_delete::SagaVolumeDelete::make_saga_dag(
+                &subsaga_params,
+                subsaga_builder,
+            )?
+        };
+
+        builder.append(Node::constant(
+            "params_for_volume_delete_subsaga",
+            serde_json::to_value(&subsaga_params).map_err(|e| {
+                SagaInitError::SerializeError(
+                    "params_for_volume_delete_subsaga".to_string(),
+                    e,
+                )
+            })?,
+        ));
+
+        builder.append(Node::subsaga(
+            "volume_delete_subsaga_no_result",
+            subsaga_dag,
+            "params_for_volume_delete_subsaga",
+        ));
+
+        builder.append(update_request_record_action());
+
+        Ok(builder.build()?)
+    }
+}
+
+// region snapshot replacement garbage collect saga: action implementations
+
+async fn rsrgs_set_saga_id(
+    sagactx: NexusActionContext,
+) -> Result<(), ActionError> {
+    let osagactx = sagactx.user_data();
+    let params = sagactx.saga_params::<Params>()?;
+
+    let opctx = crate::context::op_context_for_saga_action(
+        &sagactx,
+        &params.serialized_authn,
+    );
+
+    let saga_id = sagactx.lookup::<Uuid>("saga_id")?;
+
+    // Change the request record here to an intermediate "deleting old volume"
+    // state to block out other sagas that will be triggered for the same
+    // request.
+    osagactx
+        .datastore()
+        .set_region_snapshot_replacement_deleting_old_volume(
+            &opctx,
+            params.request.id,
+            saga_id,
+        )
+        .await
+        .map_err(ActionError::action_failed)?;
+
+    Ok(())
+}
+
+async fn rsrgs_set_saga_id_undo(
+    sagactx: NexusActionContext,
+) -> Result<(), anyhow::Error> {
+    let osagactx = sagactx.user_data();
+    let params = sagactx.saga_params::<Params>()?;
+    let opctx = crate::context::op_context_for_saga_action(
+        &sagactx,
+        &params.serialized_authn,
+    );
+
+    let saga_id = sagactx.lookup::<Uuid>("saga_id")?;
+
+    osagactx
+        .datastore()
+        .undo_set_region_snapshot_replacement_deleting_old_volume(
+            &opctx,
+            params.request.id,
+            saga_id,
+        )
+        .await?;
+
+    Ok(())
+}
+
+async fn rsrgs_update_request_record(
+    sagactx: NexusActionContext,
+) -> Result<(), ActionError> {
+    let params = sagactx.saga_params::<Params>()?;
+    let osagactx = sagactx.user_data();
+    let datastore = osagactx.datastore();
+    let opctx = crate::context::op_context_for_saga_action(
+        &sagactx,
+        &params.serialized_authn,
+    );
+
+    let saga_id = sagactx.lookup::<Uuid>("saga_id")?;
+
+    // Now that the snapshot volume has been deleted, update the replacement
+    // request record to 'Running'. There is no undo step for this, it should
+    // succeed idempotently.
+
+    datastore
+        .set_region_snapshot_replacement_running(
+            &opctx,
+            params.request.id,
+            saga_id,
+        )
+        .await
+        .map_err(ActionError::action_failed)?;
+
+    Ok(())
+}
+
+#[cfg(test)]
+pub(crate) mod test {
+    use crate::app::sagas::region_snapshot_replacement_garbage_collect::{
+        Params, SagaRegionSnapshotReplacementGarbageCollect,
+    };
+    use nexus_db_model::RegionSnapshotReplacement;
+    use nexus_db_model::RegionSnapshotReplacementState;
+    use nexus_db_model::Volume;
+    use nexus_db_queries::authn::saga::Serialized;
+    use nexus_db_queries::context::OpContext;
+    use nexus_test_utils_macros::nexus_test;
+    use sled_agent_client::types::CrucibleOpts;
+    use sled_agent_client::types::VolumeConstructionRequest;
+    use uuid::Uuid;
+
+    type ControlPlaneTestContext =
+        nexus_test_utils::ControlPlaneTestContext<crate::Server>;
+
+    #[nexus_test(server = crate::Server)]
+    async fn test_region_snapshot_replacement_garbage_collect_saga(
+        cptestctx: &ControlPlaneTestContext,
+    ) {
+        let nexus = &cptestctx.server.server_context().nexus;
+        let datastore = nexus.datastore();
+        let opctx = OpContext::for_tests(
+            cptestctx.logctx.log.clone(),
+            datastore.clone(),
+        );
+
+        // Manually insert required records
+        let old_snapshot_volume_id = Uuid::new_v4();
+
+        let volume_construction_request = VolumeConstructionRequest::Volume {
+            id: old_snapshot_volume_id,
+            block_size: 0,
+            sub_volumes: vec![VolumeConstructionRequest::Region {
+                block_size: 0,
+                blocks_per_extent: 0,
+                extent_count: 0,
+                gen: 0,
+                opts: CrucibleOpts {
+                    id: old_snapshot_volume_id,
+                    target: vec![
+                        // XXX if you put something here, you'll need a
+                        // synthetic dataset record
+                    ],
+                    lossy: false,
+                    flush_timeout: None,
+                    key: None,
+                    cert_pem: None,
+                    key_pem: None,
+                    root_cert_pem: None,
+                    control: None,
+                    read_only: false,
+                },
+            }],
+            read_only_parent: None,
+        };
+
+        let volume_data =
+            serde_json::to_string(&volume_construction_request).unwrap();
+
+        datastore
+            .volume_create(Volume::new(old_snapshot_volume_id, volume_data))
+            .await
+            .unwrap();
+
+        let mut request = RegionSnapshotReplacement::new(
+            Uuid::new_v4(),
+            Uuid::new_v4(),
+            Uuid::new_v4(),
+        );
+        request.replacement_state =
+            RegionSnapshotReplacementState::ReplacementDone;
+        request.old_snapshot_volume_id = Some(old_snapshot_volume_id);
+
+        datastore
+            .insert_region_snapshot_replacement_request_with_volume_id(
+                &opctx,
+                request.clone(),
+                Uuid::new_v4(),
+            )
+            .await
+            .unwrap();
+
+        // Run the saga
+        let params = Params {
+            serialized_authn: Serialized::for_opctx(&opctx),
+            old_snapshot_volume_id,
+            request: request.clone(),
+        };
+
+        let _output = nexus
+            .sagas
+            .saga_execute::<SagaRegionSnapshotReplacementGarbageCollect>(params)
+            .await
+            .unwrap();
+
+        // Validate the state transition
+        let result = datastore
+            .get_region_snapshot_replacement_request_by_id(&opctx, request.id)
+            .await
+            .unwrap();
+
+        assert_eq!(
+            result.replacement_state,
+            RegionSnapshotReplacementState::Running
+        );
+
+        // Validate the Volume was deleted
+        assert!(datastore
+            .volume_get(old_snapshot_volume_id)
+            .await
+            .unwrap()
+            .is_none());
+    }
+}
diff --git a/nexus/test-utils/Cargo.toml b/nexus/test-utils/Cargo.toml
index a883bc83c5..50110ecaca 100644
--- a/nexus/test-utils/Cargo.toml
+++ b/nexus/test-utils/Cargo.toml
@@ -46,7 +46,7 @@ sled-agent-client.workspace = true
 slog.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
-trust-dns-resolver.workspace = true
+hickory-resolver.workspace = true
 uuid.workspace = true
 omicron-workspace-hack.workspace = true
 
diff --git a/nexus/test-utils/src/lib.rs b/nexus/test-utils/src/lib.rs
index 478a52ffe8..453229bb36 100644
--- a/nexus/test-utils/src/lib.rs
+++ b/nexus/test-utils/src/lib.rs
@@ -17,6 +17,11 @@ use dropshot::HandlerTaskMode;
 use futures::future::BoxFuture;
 use futures::FutureExt;
 use gateway_test_utils::setup::GatewayTestContext;
+use hickory_resolver::config::NameServerConfig;
+use hickory_resolver::config::Protocol;
+use hickory_resolver::config::ResolverConfig;
+use hickory_resolver::config::ResolverOpts;
+use hickory_resolver::TokioAsyncResolver;
 use nexus_config::Database;
 use nexus_config::DpdConfig;
 use nexus_config::InternalDns;
@@ -73,11 +78,6 @@ use std::collections::HashMap;
 use std::fmt::Debug;
 use std::net::{IpAddr, Ipv6Addr, SocketAddr, SocketAddrV6};
 use std::time::Duration;
-use trust_dns_resolver::config::NameServerConfig;
-use trust_dns_resolver::config::Protocol;
-use trust_dns_resolver::config::ResolverConfig;
-use trust_dns_resolver::config::ResolverOpts;
-use trust_dns_resolver::TokioAsyncResolver;
 use uuid::Uuid;
 
 pub use sim::TEST_HARDWARE_THREADS;
@@ -1588,12 +1588,12 @@ pub async fn start_dns_server(
         socket_addr: dns_server.local_address(),
         protocol: Protocol::Udp,
         tls_dns_name: None,
-        trust_nx_responses: false,
+        trust_negative_responses: false,
         bind_addr: None,
     });
-    let resolver =
-        TokioAsyncResolver::tokio(resolver_config, ResolverOpts::default())
-            .context("creating DNS resolver")?;
+    let mut resolver_opts = ResolverOpts::default();
+    resolver_opts.edns0 = true;
+    let resolver = TokioAsyncResolver::tokio(resolver_config, resolver_opts);
 
     Ok((dns_server, http_server, resolver))
 }
diff --git a/nexus/tests/config.test.toml b/nexus/tests/config.test.toml
index 35b55184b9..d9cbb5eb34 100644
--- a/nexus/tests/config.test.toml
+++ b/nexus/tests/config.test.toml
@@ -138,6 +138,7 @@ lookup_region_port.period_secs = 60
 instance_updater.disable = true
 instance_updater.period_secs = 60
 region_snapshot_replacement_start.period_secs = 30
+region_snapshot_replacement_garbage_collection.period_secs = 30
 
 [default_region_allocation_strategy]
 # we only have one sled in the test environment, so we need to use the
diff --git a/nexus/tests/integration_tests/silos.rs b/nexus/tests/integration_tests/silos.rs
index 2c861ff159..0de4d31395 100644
--- a/nexus/tests/integration_tests/silos.rs
+++ b/nexus/tests/integration_tests/silos.rs
@@ -37,6 +37,7 @@ use std::fmt::Write;
 use std::str::FromStr;
 
 use base64::Engine;
+use hickory_resolver::error::ResolveErrorKind;
 use http::method::Method;
 use http::StatusCode;
 use httptest::{matchers::*, responders::*, Expectation, Server};
@@ -44,7 +45,6 @@ use nexus_types::external_api::shared::{FleetRole, SiloRole};
 use std::convert::Infallible;
 use std::net::Ipv4Addr;
 use std::time::Duration;
-use trust_dns_resolver::error::ResolveErrorKind;
 use uuid::Uuid;
 
 type ControlPlaneTestContext =
@@ -2164,7 +2164,7 @@ pub async fn verify_silo_dns_name(
                 .await
             {
                 Ok(result) => {
-                    let addrs: Vec<_> = result.iter().collect();
+                    let addrs: Vec<_> = result.iter().map(|a| &a.0).collect();
                     if addrs.is_empty() {
                         false
                     } else {
diff --git a/nexus/types/src/deployment/planning_input.rs b/nexus/types/src/deployment/planning_input.rs
index 1af3636d0e..c6a61aac78 100644
--- a/nexus/types/src/deployment/planning_input.rs
+++ b/nexus/types/src/deployment/planning_input.rs
@@ -709,6 +709,23 @@ pub struct Policy {
     /// at present this is hardcoded based on the version of CockroachDB we
     /// presently ship and the tick-tock pattern described in RFD 469.
     pub target_cockroachdb_cluster_version: CockroachDbClusterVersion,
+
+    /// Policy information for a replicated clickhouse setup
+    ///
+    /// If this policy is `None`, then we are using a single node clickhouse
+    /// setup. Eventually we will only allow multi-node setups and this will no
+    /// longer be an option.
+    pub clickhouse_policy: Option<ClickhousePolicy>,
+}
+
+/// Policy for replicated clickhouse setups
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ClickhousePolicy {
+    /// Desired number of clickhouse servers
+    pub target_servers: usize,
+
+    /// Desired number of clickhouse keepers
+    pub target_keepers: usize,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -761,6 +778,7 @@ impl PlanningInputBuilder {
                 target_cockroachdb_zone_count: 0,
                 target_cockroachdb_cluster_version:
                     CockroachDbClusterVersion::POLICY,
+                clickhouse_policy: None,
             },
             internal_dns_version: Generation::new(),
             external_dns_version: Generation::new(),
diff --git a/nexus/types/src/internal_api/background.rs b/nexus/types/src/internal_api/background.rs
index 2f8a411cf7..8e4b6b3013 100644
--- a/nexus/types/src/internal_api/background.rs
+++ b/nexus/types/src/internal_api/background.rs
@@ -28,3 +28,11 @@ pub struct RegionSnapshotReplacementStartStatus {
     pub start_invoked_ok: Vec<String>,
     pub errors: Vec<String>,
 }
+
+/// The status of a `region_snapshot_replacement_garbage_collect` background
+/// task activation
+#[derive(Serialize, Deserialize, Default, Debug, PartialEq, Eq)]
+pub struct RegionSnapshotReplacementGarbageCollectStatus {
+    pub garbage_collect_requested: Vec<String>,
+    pub errors: Vec<String>,
+}
diff --git a/sled-agent/src/rack_setup/plan/service.rs b/sled-agent/src/rack_setup/plan/service.rs
index c1549b1fb3..ebeb4c3693 100644
--- a/sled-agent/src/rack_setup/plan/service.rs
+++ b/sled-agent/src/rack_setup/plan/service.rs
@@ -14,10 +14,8 @@ use nexus_sled_agent_shared::inventory::{
 };
 use omicron_common::address::{
     get_sled_address, get_switch_zone_address, Ipv6Subnet, ReservedRackSubnet,
-    BOUNDARY_NTP_REDUNDANCY, COCKROACHDB_REDUNDANCY, DENDRITE_PORT,
-    DNS_HTTP_PORT, DNS_PORT, DNS_REDUNDANCY, MAX_DNS_REDUNDANCY, MGD_PORT,
-    MGS_PORT, NEXUS_REDUNDANCY, NTP_PORT, NUM_SOURCE_NAT_PORTS,
-    RSS_RESERVED_ADDRESSES, SLED_PREFIX,
+    DENDRITE_PORT, DNS_HTTP_PORT, DNS_PORT, MGD_PORT, MGS_PORT, NTP_PORT,
+    NUM_SOURCE_NAT_PORTS, RSS_RESERVED_ADDRESSES, SLED_PREFIX,
 };
 use omicron_common::api::external::{Generation, MacAddr, Vni};
 use omicron_common::api::internal::shared::{
@@ -31,6 +29,10 @@ use omicron_common::disk::{
     DiskVariant, OmicronPhysicalDiskConfig, OmicronPhysicalDisksConfig,
 };
 use omicron_common::ledger::{self, Ledger, Ledgerable};
+use omicron_common::policy::{
+    BOUNDARY_NTP_REDUNDANCY, COCKROACHDB_REDUNDANCY, DNS_REDUNDANCY,
+    MAX_DNS_REDUNDANCY, NEXUS_REDUNDANCY,
+};
 use omicron_uuid_kinds::{GenericUuid, OmicronZoneUuid, SledUuid, ZpoolUuid};
 use rand::prelude::SliceRandom;
 use schemars::JsonSchema;
@@ -54,15 +56,24 @@ use uuid::Uuid;
 const OXIMETER_COUNT: usize = 1;
 // TODO(https://github.com/oxidecomputer/omicron/issues/732): Remove
 // when Nexus provisions Clickhouse.
-// TODO(https://github.com/oxidecomputer/omicron/issues/4000): Set to 0 when enabling replicated ClickHouse
+// TODO(https://github.com/oxidecomputer/omicron/issues/4000): Use
+// omicron_common::policy::CLICKHOUSE_SERVER_REDUNDANCY once we enable
+// replicated ClickHouse.
+// Set to 0 when testing replicated ClickHouse.
 const CLICKHOUSE_COUNT: usize = 1;
 // TODO(https://github.com/oxidecomputer/omicron/issues/732): Remove
 // when Nexus provisions Clickhouse keeper.
-// TODO(https://github.com/oxidecomputer/omicron/issues/4000): Set to 3 when enabling replicated ClickHouse
+// TODO(https://github.com/oxidecomputer/omicron/issues/4000): Use
+// omicron_common::policy::CLICKHOUSE_KEEPER_REDUNDANCY once we enable
+// replicated ClickHouse
+// Set to 3 when testing replicated ClickHouse.
 const CLICKHOUSE_KEEPER_COUNT: usize = 0;
 // TODO(https://github.com/oxidecomputer/omicron/issues/732): Remove
 // when Nexus provisions Clickhouse server.
-// TODO(https://github.com/oxidecomputer/omicron/issues/4000): Set to 2 when enabling replicated ClickHouse
+// TODO(https://github.com/oxidecomputer/omicron/issues/4000): Use
+// omicron_common::policy::CLICKHOUSE_SERVER_REDUNDANCY once we enable
+// replicated ClickHouse.
+// Set to 2 when testing replicated ClickHouse
 const CLICKHOUSE_SERVER_COUNT: usize = 0;
 // TODO(https://github.com/oxidecomputer/omicron/issues/732): Remove.
 // when Nexus provisions Crucible.
diff --git a/smf/nexus/multi-sled/config-partial.toml b/smf/nexus/multi-sled/config-partial.toml
index 437615938f..2e3a8fe578 100644
--- a/smf/nexus/multi-sled/config-partial.toml
+++ b/smf/nexus/multi-sled/config-partial.toml
@@ -66,6 +66,7 @@ saga_recovery.period_secs = 600
 lookup_region_port.period_secs = 60
 instance_updater.period_secs = 30
 region_snapshot_replacement_start.period_secs = 30
+region_snapshot_replacement_garbage_collection.period_secs = 30
 
 [default_region_allocation_strategy]
 # by default, allocate across 3 distinct sleds
diff --git a/smf/nexus/single-sled/config-partial.toml b/smf/nexus/single-sled/config-partial.toml
index 95dcca14ae..dbd61e953d 100644
--- a/smf/nexus/single-sled/config-partial.toml
+++ b/smf/nexus/single-sled/config-partial.toml
@@ -66,6 +66,7 @@ saga_recovery.period_secs = 600
 lookup_region_port.period_secs = 60
 instance_updater.period_secs = 30
 region_snapshot_replacement_start.period_secs = 30
+region_snapshot_replacement_garbage_collection.period_secs = 30
 
 [default_region_allocation_strategy]
 # by default, allocate without requirement for distinct sleds.
diff --git a/tools/permslip_staging b/tools/permslip_staging
index d886cc4246..d2ddc45f20 100644
--- a/tools/permslip_staging
+++ b/tools/permslip_staging
@@ -1,5 +1,5 @@
-34cf117633f82cc8f665dc3b6c78dc2aff61ca87d2b2687290605080265dda30 manifest-gimlet-v1.0.23.toml
+6ea87b554882860f1a9b1cf97b2f4a9c61fadf3d69e6ea1bdcd781d306d6ca9c manifest-gimlet-v1.0.24.toml
 85553dd164933a9b9e4f22409abd1190b1d632d192b5f7527129acaa778a671a manifest-oxide-rot-1-v1.0.13.toml
-db995edfe91959df3cb20ea8156f75b9dcff5ec5e77f98a28766617a8ed2e0c5 manifest-psc-v1.0.22.toml
-26b6096a377edb3d7da50b1b499af104e6195bc7c7c6eb1b2751b32434d7ac9e manifest-sidecar-v1.0.23.toml
+11bc0684155119f494a6e21810e4dc97b9efadb8154d570f67143dae98a45060 manifest-psc-v1.0.23.toml
+60205852109f1584d29e2b086eae5a72d7f61b2e1f64d958e6326312ed2b0d66 manifest-sidecar-v1.0.24.toml
 c0fecaefac7674138337f3bd4ce4ce5b884053dead5ec27b575701471631ea2f manifest-bootleby-v1.3.0.toml
diff --git a/wicketd/Cargo.toml b/wicketd/Cargo.toml
index 324ae01b42..6e2c27a97e 100644
--- a/wicketd/Cargo.toml
+++ b/wicketd/Cargo.toml
@@ -25,6 +25,7 @@ flume.workspace = true
 futures.workspace = true
 gateway-messages.workspace = true
 hex.workspace = true
+hickory-resolver.workspace = true
 http.workspace = true
 hubtools.workspace = true
 hyper.workspace = true
@@ -46,7 +47,6 @@ tokio-stream.workspace = true
 tokio-util.workspace = true
 toml.workspace = true
 tough.workspace = true
-trust-dns-resolver.workspace = true
 uuid.workspace = true
 
 bootstrap-agent-client.workspace = true
diff --git a/wicketd/src/preflight_check/uplink.rs b/wicketd/src/preflight_check/uplink.rs
index 36a4f61779..fb0914e836 100644
--- a/wicketd/src/preflight_check/uplink.rs
+++ b/wicketd/src/preflight_check/uplink.rs
@@ -14,6 +14,11 @@ use dpd_client::types::PortSpeed as DpdPortSpeed;
 use dpd_client::Client as DpdClient;
 use dpd_client::ClientState as DpdClientState;
 use either::Either;
+use hickory_resolver::config::NameServerConfigGroup;
+use hickory_resolver::config::ResolverConfig;
+use hickory_resolver::config::ResolverOpts;
+use hickory_resolver::error::ResolveErrorKind;
+use hickory_resolver::TokioAsyncResolver;
 use illumos_utils::zone::SVCCFG;
 use illumos_utils::PFEXEC;
 use omicron_common::address::DENDRITE_PORT;
@@ -35,12 +40,6 @@ use std::time::Duration;
 use std::time::Instant;
 use tokio::process::Command;
 use tokio::sync::mpsc;
-use trust_dns_resolver::config::NameServerConfigGroup;
-use trust_dns_resolver::config::ResolverConfig;
-use trust_dns_resolver::config::ResolverOpts;
-use trust_dns_resolver::error::ResolveError;
-use trust_dns_resolver::error::ResolveErrorKind;
-use trust_dns_resolver::TokioAsyncResolver;
 use wicket_common::preflight_check::EventBuffer;
 use wicket_common::preflight_check::StepContext;
 use wicket_common::preflight_check::StepProgress;
@@ -930,16 +929,7 @@ impl DnsLookupStep {
         };
 
         'dns_servers: for &dns_ip in dns_servers {
-            let resolver = match self.build_resolver(dns_ip) {
-                Ok(resolver) => resolver,
-                Err(err) => {
-                    self.warnings.push(format!(
-                        "failed to create resolver for {dns_ip}: {}",
-                        DisplayErrorChain::new(&err)
-                    ));
-                    continue;
-                }
-            };
+            let resolver = self.build_resolver(dns_ip);
 
             // Attempt to resolve any NTP servers that aren't IP addresses.
             for &ntp_name in &ntp_names_to_resolve {
@@ -1052,14 +1042,18 @@ impl DnsLookupStep {
                 (
                     "A",
                     resolver.ipv4_lookup(name).await.map(|records| {
-                        Either::Left(records.into_iter().map(IpAddr::V4))
+                        Either::Left(
+                            records.into_iter().map(|x| IpAddr::V4(x.into())),
+                        )
                     }),
                 )
             } else {
                 (
                     "AAAA",
                     resolver.ipv6_lookup(name).await.map(|records| {
-                        Either::Right(records.into_iter().map(IpAddr::V6))
+                        Either::Right(
+                            records.into_iter().map(|x| IpAddr::V6(x.into())),
+                        )
                     }),
                 )
             };
@@ -1175,12 +1169,12 @@ impl DnsLookupStep {
     ///
     /// If building it fails, we'll append to our internal `warnings` and return
     /// `None`.
-    fn build_resolver(
-        &mut self,
-        dns_ip: IpAddr,
-    ) -> Result<TokioAsyncResolver, ResolveError> {
+    fn build_resolver(&mut self, dns_ip: IpAddr) -> TokioAsyncResolver {
         let mut options = ResolverOpts::default();
 
+        // Enable edns for potentially larger records
+        options.edns0 = true;
+
         // We will retry ourselves; we don't want the resolver
         // retrying internally too.
         options.attempts = 1;
diff --git a/workspace-hack/Cargo.toml b/workspace-hack/Cargo.toml
index 688e1a0921..5edfbccf93 100644
--- a/workspace-hack/Cargo.toml
+++ b/workspace-hack/Cargo.toml
@@ -60,9 +60,10 @@ getrandom = { version = "0.2.14", default-features = false, features = ["js", "r
 group = { version = "0.13.0", default-features = false, features = ["alloc"] }
 hashbrown = { version = "0.14.5", features = ["raw"] }
 hex = { version = "0.4.3", features = ["serde"] }
+hickory-proto = { version = "0.24.1", features = ["text-parsing"] }
 hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 hyper = { version = "0.14.30", features = ["full"] }
-indexmap = { version = "2.3.0", features = ["serde"] }
+indexmap = { version = "2.4.0", features = ["serde"] }
 inout = { version = "0.1.3", default-features = false, features = ["std"] }
 itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12.1" }
 itertools-93f6ce9d446188ac = { package = "itertools", version = "0.10.5" }
@@ -95,7 +96,7 @@ schemars = { version = "0.8.21", features = ["bytes", "chrono", "uuid1"] }
 scopeguard = { version = "1.2.0" }
 semver = { version = "1.0.23", features = ["serde"] }
 serde = { version = "1.0.207", features = ["alloc", "derive", "rc"] }
-serde_json = { version = "1.0.124", features = ["raw_value", "unbounded_depth"] }
+serde_json = { version = "1.0.125", features = ["raw_value", "unbounded_depth"] }
 sha1 = { version = "0.10.6", features = ["oid"] }
 sha2 = { version = "0.10.8", features = ["oid"] }
 similar = { version = "2.5.0", features = ["bytes", "inline", "unicode"] }
@@ -113,7 +114,6 @@ tokio-util = { version = "0.7.11", features = ["codec", "io-util"] }
 toml = { version = "0.7.8" }
 toml_edit-3c51e837cfc5589a = { package = "toml_edit", version = "0.22.20", features = ["serde"] }
 tracing = { version = "0.1.40", features = ["log"] }
-trust-dns-proto = { version = "0.22.0" }
 unicode-bidi = { version = "0.3.15" }
 unicode-normalization = { version = "0.1.23" }
 usdt = { version = "0.5.0" }
@@ -167,9 +167,10 @@ getrandom = { version = "0.2.14", default-features = false, features = ["js", "r
 group = { version = "0.13.0", default-features = false, features = ["alloc"] }
 hashbrown = { version = "0.14.5", features = ["raw"] }
 hex = { version = "0.4.3", features = ["serde"] }
+hickory-proto = { version = "0.24.1", features = ["text-parsing"] }
 hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 hyper = { version = "0.14.30", features = ["full"] }
-indexmap = { version = "2.3.0", features = ["serde"] }
+indexmap = { version = "2.4.0", features = ["serde"] }
 inout = { version = "0.1.3", default-features = false, features = ["std"] }
 itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12.1" }
 itertools-93f6ce9d446188ac = { package = "itertools", version = "0.10.5" }
@@ -202,7 +203,7 @@ schemars = { version = "0.8.21", features = ["bytes", "chrono", "uuid1"] }
 scopeguard = { version = "1.2.0" }
 semver = { version = "1.0.23", features = ["serde"] }
 serde = { version = "1.0.207", features = ["alloc", "derive", "rc"] }
-serde_json = { version = "1.0.124", features = ["raw_value", "unbounded_depth"] }
+serde_json = { version = "1.0.125", features = ["raw_value", "unbounded_depth"] }
 sha1 = { version = "0.10.6", features = ["oid"] }
 sha2 = { version = "0.10.8", features = ["oid"] }
 similar = { version = "2.5.0", features = ["bytes", "inline", "unicode"] }
@@ -222,7 +223,6 @@ tokio-util = { version = "0.7.11", features = ["codec", "io-util"] }
 toml = { version = "0.7.8" }
 toml_edit-3c51e837cfc5589a = { package = "toml_edit", version = "0.22.20", features = ["serde"] }
 tracing = { version = "0.1.40", features = ["log"] }
-trust-dns-proto = { version = "0.22.0" }
 unicode-bidi = { version = "0.3.15" }
 unicode-normalization = { version = "0.1.23" }
 unicode-xid = { version = "0.2.4" }