Nagios Support Forum

Is it possible to monitor DNSSEC key expiration through Nagios? If so, is it native or does it require a third-party tool? I've been trying to find something that will monitor our DNS key expiration dates and report the keys that are about to expire (>30 days). The ones I have found online seem to require numerous additional packages be installed and/or don't have a lot of support. Can anyone help me out?

Have you looked at this website for dnssec monitoring?

abrist wrote:Have you looked at this website for dnssec monitoring?

Thanks for the link. I had not seen that yet, but I'm a little unsure of how it would work for me. I'm worried that I'm over-thinking this. We currently have 8 DNS zones, so we have a list of zone-signing keys that we would like to monitor the expire date of; would any of those add-ons do that? I'm not very well-versed on DNS and all it's intricacies, so I'm being very careful on what I try/do to reach my goal.

What method are you currently using to check the expiration date? You are correct that there may very well be a much easier way, though it probably requires write a short custom script.

abrist wrote:What method are you currently using to check the expiration date? You are correct that there may very well be a much easier way, though it probably requires write a short custom script.

We currently aren't using anything. The zone-signing keys expired without anyone realizing it and it caused DNS1 to stop replicating/syncing with DNS2/3. I am trying to find some way to monitor the keys, so that doesn't happen again.

You may want to look at the "ldns" package, as it can check records and print expiration dates for dnskeys (ldns-rrsig). You will have to create a script to plug it into nagios:
http://www.nlnetlabs.nl/projects/ldns/
http://nagiosplug.sourceforge.net/devel ... lines.html