Goal of this plugin is to monitor DNSSEC validation for a given zone using a DNSSEC validating resolver.
It covers the following cases:
- Resolver that doesn't validate DNSSEC signatures: emits a WARNING since the environment for the other check is broken and needs to be fixed first (which doesn't imply the signatures of that zone to be broken). This test is executed against the zone
dnssec-failed.org
but you can override this and provide your own always-failing zone - Unsigned zones: will emit a WARNING, as we expect this check to only be actively executed against DNSSEC enabled/signed zones
- Broken signature: will emit a CRITICAL, independent of whether the zone could be resolvable on a resolver without DNSSEC validation
- Expiry date of the RRSIG answer: the remaining lifetime is calculated and depending on the remaining % of the total lifetime, an alert can be generated
- emits a CRITICAL if the remaining percentage is < 10%
- emits a WARNING if the remaining percentage is < 20%
- emits an OK if none of the above match
- If there are multiple RRSIG entries with overlapping validity time-frames, we're fine, if at least one of them fulfills the minimum remaining lifetime check
- is configurable via command line options, see table below
Clone this repository into the directory where you have all your other plugins, for Icinga on Ubuntu, this is probably /usr/lib/nagios/plugins
but could be somewhere else on your system:
cd /usr/lib/nagios/plugins
git clone https://github.com/mrimann/check_dnssec_expiry.git
To add the check to your Icinga installation, first add the following command definition e.g. to /etc/icinga/objects/commands.cfg
:
# 'check_dnssec_expiry' command definition
define command {
command_name check_dnssec_expiry
command_line $USER1$/check_dnssec_expiry/check_dns_expiry.sh -z $ARG1$ -r $ARG2$ -f $ARG3$
}
And second, add a service definiton per zone to e.g. /etc/icinga/objects/services.cfg
:
define service {
use critical-service
name check_dnssec_expiry ZONE
description DNSSEC ZONE
host_name NAMESERVER
check_command check_dnssec_expiry!ZONE
normal_check_interval 60
retry_check_interval 5
}
In the above snippet, replace ZONE with the zone to be checked, e.g. "example.org" and NAMESERVER with your Nameserver (basically it doesn't matter since the check is executed on the Icinga host itself in this basic setup).
Please adapt the above snippets to your needs!!! (and refer to the documentation of your monitoring system for further details)
Clone this repository into the directory where you have all your other plugins, for Icinga on Ubuntu, this is probably /usr/lib/nagios/plugins
but could be somewhere else on your system:
cd /usr/lib/nagios/plugins
git clone https://github.com/mrimann/check_dnssec_expiry.git
To add the command check to your Icinga2 installation, first add the following command definition e.g. to /etc/icinga2/conf.d/commands.conf
:
# 'check_dnssec_expiry' command definition
object CheckCommand "dnssec_expiry" {
import "plugin-check-command"
command = [ PluginDir + "/check_dnssec_expiry.sh" ]
arguments = {
"-z" = {
required = true
value = "$zone$"
}
"-w" = "$dnssec_warn$" // Default = 20
"-c" = "$dnssec_crit$" // Default = 10
"-r" = "$resolver$" // Default = 8.8.8.8
"-f" = "$failing$" // Sets the always failing domain (to verify function of resolver). Default = dnssec-failed.org
}
}
Then add a service definition e.g. to /etc/icinga2/conf.d/services.conf
:
apply Service "dnssec" for (zone in host.vars.dnssec_zones) {
import "generic-service"
vars.zone = zone
vars.resolver = "127.0.0.1"
display_name = "DNSSEC signature expiring"
check_command = "dnssec_expiry"
}
And finally, add a list of the zones to be checked to the hosts definition e.g. /etc/icinga2/conf.d/hosts.conf
:
/* DNSSEC checks -- https://github.com/mrimann/check_dnssec_expiry */
vars.dnssec_zones = ["zone1", "zone2", "zone3" ]
In the above snippet, replace zone1, zone2, zone3 with the zones to be checked. You can set vars.resolver to the address of a resolver to use, etc.
Please adapt the above snippets to your needs!!! (and refer to the documentation of your monitoring system for further details).
The script can also be used as-is as a data source for a Zabbix server external checks.
- save
check_dnssec_expiry.sh
to/usr/local/bin
- create wrapper scripts in the directory where Zabbix expects external scripts (
/usr/lib/zabbix/externalscripts
), replace2620:fe::fe
with the IP of the validating resolver of your preference. zext_dnssec_sig_percentage.sh
:
#!/bin/bash
/usr/local/bin/check_dnssec_expiry.sh -z $1 -r 2620:fe::fe | gawk 'match($$0, /sig_lifetime_percentage=([0-9]+)[^0-9]/, b) {print b[1]}'
zext_dnssec_sig_seconds.sh
:
#!/bin/bash
/usr/local/bin/check_dnssec_expiry.sh -z $1 -r 2620:fe::fe | gawk 'match($$0, /sig_lifetime=([0-9]+)\s/, a) {print a[1]}'
- Verify that the scripts are working and returning an integer (percentage or remaining seconds).
/usr/lib/zabbix/externalscripts/zext_dnssec_sig_percentage.sh switch.ch
98
/usr/lib/zabbix/externalscripts/zext_dnssec_sig_seconds.sh switch.ch
2010539
-
In the Zabbix GUI, create a template
DNSSEC signature expiration
and define external check items: -
zext_dnssec_sig_seconds.sh[{HOSTNAME}]
(Numeric unsigned, Unitss
) -
zext_dnssec_sig_percentage.sh[{HOSTNAME}]
(Numeric unsigned) -
Define Triggers/Alerts as usual, for example:
{Template DNSSEC signature expiration:zext_dnssec_sig_seconds.sh[{HOSTNAME}].last(#2)}<2d
to alert when the remaining signature lifetime falls below 2 days.
Option | Triggers what? | Mandatory? | Default value |
---|---|---|---|
-h | Renders the help / usage information | no | n/a |
-z | Sets the zone to validate, e.g. "example.org" | yes | n/a |
-w | Sets the warning percentage value regarding the remainig lifetime of the signature | no | 20 |
-c | Sets the critical percentage value regarding the remainig lifetime of the signature | no | 10 |
-r | Sets the resolver to use | no | 8.8.8.8 |
-f | Sets the always failing domain (used to verify the proper function of the resolving server | no | dnssec-failed.org |
-t | Sets the DNS record type to validate, e.g. "A" | no | SOA |
Well, it needs some serious testing to be honest - please provide feedback on whether the plugin helped and in which environment you tested it.
Feel free to file new issues if you find a problem or to propose a new feature. If you want to contribute your time and submit an improvement, I'm very eager to look at your pull request!
In case you want to discuss a new feature with me, just send me an e-mail.
Thanks for your support! (in chronological order)
- André Keller from VSHN
- Oli Schacher from Switch CERT
- Jan-Piet Mens www.jpmens.net
- Warren Kumari
- Rob J. Epping
- Thushjandan Ponnudurai
- Robin Meis @RobinMeis
Licensed under the permissive MIT license - have fun with it!
Yes, please! And if you save some of your precious time with it, I'd be very happy if you give something back - be it a warm "Thank you" by mail, spending me a drink at a conference, send me a post card or some other surprise :-)