A tiny Nagios plugin to check DNSSEC RRSIG expiry

Nov 14, 2018 ·

I have used both Icinga and Nagios to monitor a variety of infrastructures, either at work, at home and anywhere in between. These share a variety of very useful plugins for monitoring lots and lots of standard stuff, from basic ping checks to filesystem mounts. Occasionally I had to write the odd script to monitor something ridiculously niche, like split-brain HSRP status between pairs of Cisco routers.

This one is a plugin for checking RRSIG expiry dates on DNSSEC records. There are other plugins out there that do exactly this, but I could not find anything that would not depend on a ton of other packages to do it (libnet-dns-sec-perl anyone?). So I decided to write something that has minimal footprint, ended up with a python wrapper around dig. Of course, this depends on dig (which should come with the plugin installation), as well as python. The python part is optional if you rewrite this in bash.

With regards to RRSIGs and DNSSEC:

RRSIGs = signature records for a zone which contain a cryptographic signature used for validating a DNSSEC response. When you sign a zone, the signature records expire after 30 days. There are recommendations for resigning a zone once a day. This is why the plugin default is to warn if the signature expires in less than 29 days (of course warning and critical thresholds can be changed with command line arguments -w and -c; the server to check against can also be specified with -s):

~./check_dns_rrsig.py cloudflare.com
Signature expires in 1 days

Here is the plugin!

This is very, very basic and will work if all you want is something to tell you when an RRSIG expires, without any other overhead.

Happy monitoring!