   |
 |
CHECK_ZONE_RRSIG_EXPIRATION
Use this plugin with Nagios to be notified when your dnssec-enabled zone has signatures that are about to expire. You can download the source.
Operation
When called, the plugin issues a seed query for the zone to be tested. The seed query begins at a root DNS server and terminates when an authoritative answer is received.
Next, each authoritative nameserver is queried for RRSIG records. If new authoritative nameservers are discovered during this phase, they are queried as well.
After all nameservers have been queried, the responses are analyzed. The script reports the following problems:
- No authoritative nameservers found.
- No RRSIG records found.
- When at least one RRSIG record is already expired.
- When at least one RRSIG record expires in the next 3 days.
- When at least one RRSIG record expires in the next 7 days.
How to use
Since Nagios normally monitors "hosts," instead of "zones" (or domains), we have to to trick it just a little bit. For example, create a pseudo-host with the name of the zone. Since you might already have a host named after the zone, prefix the host name with "zone":
define host {
name dns-zone
hostgroups dns-zones
...
register 0
}
define host {
use dns-zone
host_name zone.example.com
alias ZONE example.com
}
Next, define a command and service:
define command {
command_name check-zone-rrsig
command_line /usr/local/libexec/nagios-local/check_zone_rrsig_expiration -Z $HOSTADDRESS$
}
define service {
name dns-rrsig-service
servicegroups dns-rrsig-group
service_description DNSRRSIG
check_command check-zone-rrsig
...
register 0
}
define service {
use dns-rrsig-service
host_name zone.example.com
}
Note that the check_zone_rrsig_expiration script will receive zone.example.com as the argument. The script strips off the leading "zone." from this argument.
© 2008 The Measurement Factory.