Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

check_dnssec.sh

Rating
0 votes
Favoured:
0
Current Version
1.5
Last Release Date
2021-06-04
Compatible With
  • Nagios 3.x
License
GPL
Hits
1026
Files:
FileDescription
check_dnssec.shcheck_dnssec.sh
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
This plugin checks the validity of the vital DNSSEC components required for secure DNS resolution
of a correctly configured domain. The records are flags checked for validity are;

DS (Delegation Of Signing) record.
DNSKEY (Public Key) record.
AD (Authentic Data) flag.
RRSIG (Resource Record Signature) flag.

Finally the plugin checks how many days the zone will remain signed valid until resigning is required,
the initial default is 30 days. The plugin requires that correctly configured Bind DNS server has a valid DNSSEC installation with corresponding configured zone files to match. The configuration of the server and corresponding DNSSEC zone files and records are beyond the scope of this manual.
Copyright (c) 2021 Ryan Wilgoss (ryan.wilgoss@tridata-solutions.com)
Version: 1.5
Last Modified: 04/06/2021
License: GPL v3

System Requirements:
Nagios, Bash, Dig, NRPE Client (daemon), Bind DNS Server with DNSSEC and domain zones installed accordingly.

Usage: check_dnssec

Options:
/h = Display this help page

Command Line Example:

From the command line on the local DNS server:
# ./check_dnssec example.com 10 3

Result:
OK - Signed Zone Expires in 12 days: DS=OK, DNSKEY=OK, AD=OK, RRSEG=OK

Remote Command Line Example Using NRPE:

From Nagios server remotely via NRPE
# ./check_nrpe -H -c check_dnssec -a example.com 10 3

Result:
OK - Signed Zone Expires in 12 days: DS=OK, DNSKEY=OK, AD=OK, RRSEG=OK


Description:

This plugin checks the validity of the vital DNSSEC components required for secure DNS resolution of a correctly configured domain. The records are flags checked for validity are;

DS (Delegation Of Signing) record.
DNSKEY (Public Key) record.
AD (Authentic Data) flag.
RRSIG (Resource Record Signature) flag.

Finally the plugin checks how many days the zone will remain signed valid until resigning is required, the initial default is 30 days. The plugin requires that correctly configured Bind DNS server has a valid DNSSEC installation with corresponding configured zone files to match. The configuration of the server and corresponding DNSSEC zone files and records are beyond the scope of this manual.

Nagios Server Configuration:

commands.cfg:

define command{
command_name check_dnssec_remote
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_dnssec -a $ARG1$ $ARG2$ $ARG3$
}


hostedserver.cfg:

define service {
use generic-service
host_name ns1.bind-dns-server.com
service_description DNSSEC - example.com
check_command check_dnssec_remote!example.com!10!3
}


DNS Remote Server To Be Monitored:

nrpe.cfg:

command[check_dnssec]=/usr/lib64/nagios/plugins/check_dnssec.sh $ARG1$ $ARG2$ $ARG3$


Notes:
Install this plugin into the path /usr/lib64/nagios/plugins/ (or wherever you plugins are clearresiding), on the remote DNS server ensuring that the file check_dnssec.sh has executable capabilities.