Icinga/Nagios check for DNSSEC validation
Monitoring the chain of trust for early warnings of breakage
December 19, 2016
DNS
DNSSEC
Monitoring
When running a domain with DNSSEC enabled, it is important to monitor it. Apart from monitoring whether the nameserver is running, is responding to UDP and TCP queries, the domain is served by the nameserver and whether the RRSIGs are valid (you do all that already right?), knowing if the chain of trust to the domain is valid is just as important. Has someone removed the DS? Did someone do a KSK rollover without notifying the registrar? These are only some of the DNSSEC failures that can only be detected by validating the chain of trust.
For this purpose, I wrote a small Nagios/Icinga script a few years ago that does just this, but never released it publicly. The code is up on GitHub for your downloading pleasure.