DNS

check_dnssec.sh

Write a Review

Description:

This plugin checks the validity of the vital DNSSEC components required for secure DNS resolution
of a correctly configured domain. The records are flags checked for validity are;

DS (Delegation Of Signing) record.
DNSKEY (Public Key) record.
AD (Authentic Data) flag.
RRSIG (Resource Record Signature) flag.

Finally the plugin checks how many days the zone will remain signed valid until resigning is required,
the initial default is 30 days. The plugin requires that correctly configured Bind DNS server has a valid DNSSEC installation with corresponding configured zone files to match. The configuration of the server and corresponding DNSSEC zone files and records are beyond the scope of this manual.

Current Version

1.5

Last Release Date

2021-06-04

Compatible With

  • Nagios 3.x

Owner

Ryan Wilgoss

License

GPL

Copy Page Link Recommend Login to Add to Favorites
Project Files
FileDescription
check_dnssec.sh
Project Notes
Copyright (c) 2021 Ryan Wilgoss (ryan.wilgoss@tridata-solutions.com) Version: 1.5 Last Modified: 04/06/2021 License: GPL v3 System Requirements: Nagios, Bash, Dig, NRPE Client (daemon), Bind DNS Server with DNSSEC and domain zones installed accordingly. Usage: check_dnssec Options: /h = Display this help page Command Line Example: From the command line on the local DNS server: # ./check_dnssec example.com 10 3 Result: OK - Signed Zone Expires in 12 days: DS=OK, DNSKEY=OK, AD=OK, RRSEG=OK Remote Command Line Example Using NRPE: From Nagios server remotely via NRPE # ./check_nrpe -H -c check_dnssec -a example.com 10 3 Result: OK - Signed Zone Expires in 12 days: DS=OK, DNSKEY=OK, AD=OK, RRSEG=OK Description: This plugin checks the validity of the vital DNSSEC components required for secure DNS resolution of a correctly configured domain. The records are flags checked for validity are; DS (Delegation Of Signing) record. DNSKEY (Public Key) record. AD (Authentic Data) flag. RRSIG (Resource Record Signature) flag. Finally the plugin checks how many days the zone will remain signed valid until resigning is required, the initial default is 30 days. The plugin requires that correctly configured Bind DNS server has a valid DNSSEC installation with corresponding configured zone files to match. The configuration of the server and corresponding DNSSEC zone files and records are beyond the scope of this manual. Nagios Server Configuration: commands.cfg: define command{ command_name check_dnssec_remote command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_dnssec -a $ARG1$ $ARG2$ $ARG3$ } hostedserver.cfg: define service { use generic-service host_name ns1.bind-dns-server.com service_description DNSSEC - example.com check_command check_dnssec_remote!example.com!10!3 } DNS Remote Server To Be Monitored: nrpe.cfg: command[check_dnssec]=/usr/lib64/nagios/plugins/check_dnssec.sh $ARG1$ $ARG2$ $ARG3$ Notes: Install this plugin into the path /usr/lib64/nagios/plugins/ (or wherever you plugins are clearresiding), on the remote DNS server ensuring that the file check_dnssec.sh has executable capabilities.
Reviews (0) Add a Review
Add a Review

You must be logged in to submit a review.

Thank you for your review!

Your review has been submitted and is pending approval.

Recommend

To:


From:


Thank you for your recommendation!

Your recommendation has been sent.

Page Sections
Project Overview Project Files Project Notes Reviews
Project Stats
Rating
0 (0)
Favorites
0
Views
4,709