Nagios and DNS key expiration monitoring

[lce411]

Is it possible to monitor DNSSEC key expiration through Nagios? If so, is it native or does it require a third-party tool? I've been trying to find something that will monitor our DNS key expiration dates and report the keys that are about to expire (>30 days). The ones I have found online seem to require numerous additional packages be installed and/or don't have a lot of support. Can anyone help me out?

[abrist]

Have you looked at this website for dnssec monitoring?

[lce411]

Have you looked at this website for dnssec monitoring?

Thanks for the link. I had not seen that yet, but I'm a little unsure of how it would work for me. I'm worried that I'm over-thinking this. We currently have 8 DNS zones, so we have a list of zone-signing keys that we would like to monitor the expire date of; would any of those add-ons do that? I'm not very well-versed on DNS and all it's intricacies, so I'm being very careful on what I try/do to reach my goal.

[abrist]

What method are you currently using to check the expiration date? You are correct that there may very well be a much easier way, though it probably requires write a short custom script.

[lce411]

What method are you currently using to check the expiration date? You are correct that there may very well be a much easier way, though it probably requires write a short custom script.

We currently aren't using anything. The zone-signing keys expired without anyone realizing it and it caused DNS1 to stop replicating/syncing with DNS2/3. I am trying to find some way to monitor the keys, so that doesn't happen again.

[abrist]

You may want to look at the "ldns" package, as it can check records and print expiration dates for dnskeys (ldns-rrsig). You will have to create a script to plug it into nagios:

Code: Select all

$ yum install ldns

http://www.nlnetlabs.nl/projects/ldns/
http://nagiosplug.sourceforge.net/devel ... lines.html