indexsource tools


Use this plugin with Nagios to be notified when your dnssec-enabled zone has signatures that are about to expire. You can download the source.


  • Net::DNS::Resolver Perl module
  • Net::DNS::SEC Perl module
  • List::Util Perl module


When called, the plugin issues a seed query for the zone to be tested. The seed query begins at a root DNS server and terminates when an authoritative answer is received.

Next, each authoritative nameserver is queried for a zone apex record. SOA is the default query type. If new authoritative nameservers are discovered during this phase, they are queried as well.

After all nameservers have been queried, the responses are analyzed. The script reports the following problems:

  • No authoritative nameservers found.
  • No RRSIG records found.
  • When at least one RRSIG record is already expired.
  • When at least one RRSIG record expires in the next CRIT days.
  • When at least one RRSIG record expires in the next WARN days.

How to use

Since Nagios normally monitors "hosts," instead of "zones" (or domains), we have to to trick it just a little bit. For example, create a pseudo-host with the name of the zone. Since you might already have a host named after the zone, prefix the host name with "zone".

The command line options -C and -W specify the threshholds for when to raise Critical (red) and Warning (yellow) conditions. They default to 2.0 and 3.0 days, respectively.

Use the command line option -T type to change the query type (defaults to SOA). You can use ANY to check signatures for all apex records.

define host {
	name                    dns-zone
	hostgroups              dns-zones
	register                0

define host {
	use                     dns-zone
	host_name               zone.example.com
	alias                   ZONE example.com

Next, define a command and service:

define command {
        command_name    check-zone-rrsig
        command_line    /usr/local/libexec/nagios-local/check_zone_rrsig_expiration -Z $HOSTADDRESS$ -W 3 -C 2

define service {
        name                    dns-rrsig-service
        servicegroups           dns-rrsig-group
        service_description     DNSRRSIG
        check_command           check-zone-rrsig
        register                0

define service {
        use                     dns-rrsig-service
        host_name               zone.example.com

Note that the check_zone_rrsig_expiration script will receive zone.example.com as the argument. The script strips off the leading "zone." from this argument.

© 2020 The Measurement Factory.