Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

check_dnssec.sh

Rating
0 votes
Favoured:
0
Current Version
1.5
Last Release Date
2021-06-04
Compatible With
  • Nagios 3.x
License
GPL
Hits
4697
Files:
FileDescription
check_dnssec.shcheck_dnssec.sh
Nagios CSP

Meet The New Nagios Core Services Platform

Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.

Monitoring Made Magically Better

  • Nagios Core on Overdrive
  • Powerful Monitoring Dashboards
  • Time-Saving Configuration Wizards
  • Open Source Powered Monitoring On Steroids
  • And So Much More!
This plugin checks the validity of the vital DNSSEC components required for secure DNS resolution
of a correctly configured domain. The records are flags checked for validity are;

DS (Delegation Of Signing) record.
DNSKEY (Public Key) record.
AD (Authentic Data) flag.
RRSIG (Resource Record Signature) flag.

Finally the plugin checks how many days the zone will remain signed valid until resigning is required,
the initial default is 30 days. The plugin requires that correctly configured Bind DNS server has a valid DNSSEC installation with corresponding configured zone files to match. The configuration of the server and corresponding DNSSEC zone files and records are beyond the scope of this manual.
Copyright (c) 2021 Ryan Wilgoss (ryan.wilgoss@tridata-solutions.com)
Version: 1.5
Last Modified: 04/06/2021
License: GPL v3

System Requirements:
Nagios, Bash, Dig, NRPE Client (daemon), Bind DNS Server with DNSSEC and domain zones installed accordingly.

Usage: check_dnssec

Options:
/h = Display this help page

Command Line Example:

From the command line on the local DNS server:
# ./check_dnssec example.com 10 3

Result:
OK - Signed Zone Expires in 12 days: DS=OK, DNSKEY=OK, AD=OK, RRSEG=OK

Remote Command Line Example Using NRPE:

From Nagios server remotely via NRPE
# ./check_nrpe -H -c check_dnssec -a example.com 10 3

Result:
OK - Signed Zone Expires in 12 days: DS=OK, DNSKEY=OK, AD=OK, RRSEG=OK


Description:

This plugin checks the validity of the vital DNSSEC components required for secure DNS resolution of a correctly configured domain. The records are flags checked for validity are;

DS (Delegation Of Signing) record.
DNSKEY (Public Key) record.
AD (Authentic Data) flag.
RRSIG (Resource Record Signature) flag.

Finally the plugin checks how many days the zone will remain signed valid until resigning is required, the initial default is 30 days. The plugin requires that correctly configured Bind DNS server has a valid DNSSEC installation with corresponding configured zone files to match. The configuration of the server and corresponding DNSSEC zone files and records are beyond the scope of this manual.

Nagios Server Configuration:

commands.cfg:

define command{
command_name check_dnssec_remote
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_dnssec -a $ARG1$ $ARG2$ $ARG3$
}


hostedserver.cfg:

define service {
use generic-service
host_name ns1.bind-dns-server.com
service_description DNSSEC - example.com
check_command check_dnssec_remote!example.com!10!3
}


DNS Remote Server To Be Monitored:

nrpe.cfg:

command[check_dnssec]=/usr/lib64/nagios/plugins/check_dnssec.sh $ARG1$ $ARG2$ $ARG3$


Notes:
Install this plugin into the path /usr/lib64/nagios/plugins/ (or wherever you plugins are clearresiding), on the remote DNS server ensuring that the file check_dnssec.sh has executable capabilities.