Feature #98
Have nagios.bitfolk.com check for RRSIG expiration (DNSSEC)
| Status: | New | Start: | 2012-06-09 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Votes: | 0 |
Description
For DNSSEC zones, it would be a good thing if the Bitfolk Nagios also checked the expiry date of the RRSIG secords.
Myself I have had some good experience with the check_dnssec_expiration plugin.
History
Updated by admin almost 13 years ago
Thanks for the pointer.
I've compiled these utilities on the Nagios host and they seem to work.
I asked you outside this tracker if you preferred the check to be done against just your master or against all DNS servers; you said you preferred all, and thinking about it I agree with that: best to know that all hosts have the correct info.
Thinking about the best way to set up the checks now. It could be manual, and have to be asked for, but this seems not so great as few people would think to ask.
I think it may be best if my script that builds the Nagios configuration for customer domains also checks if the domain has an RRSIG on SOA and if so adds the check_dnssec_expiration check. What do you think?
Updated by halleck almost 13 years ago
Well, in addition to checking for for RRSIG on SOA it might also be a good idea to check for DS records in the parent zone. Without the later, DNSSEC won't really be in affect, and the user might just be experimenting, without having proper resigning, etc.
Updated by admin over 6 years ago
This one seems to do a full check from the root on down:
http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html