Monitoring plugins for DNS-over-TLS servers
The results of the project have been documented on my blog
A project for the IETF 98 Hackathon.
DNS-over-TLS is specified in RFC 7858.
The idea is to allow DNS-over-TLS service monitoring, creating a monitoring plugin (suitable for Nagios or compatible like Icinga by following their API).
We'll test with the public DNS-over-TLS resolvers.
First possibility: use Go because it has both a
nice DNS library and
a
good TLS standard package. TODO:
see how to extract key and cert info from a session (parse the conn
object? See HTTP package to be
sure. With the help of
the TLS package?). TODO: what are
the policy rules for the monitoring plugins project? (See the CODING
file in the source distribution, it is mostly source code presentation
details.) Do they accept
plugins written in Go? TODO: is it possible to follow exactly the
rules of the Nagios API in Go (command-line arguments, for instance?)
TODO: once done, publish on Monitoring Exchange
Second possibility: C and getdns. TODO:
see how to extract key and cert info from a session. Do a second
connection with GnuTLS (there is a risk to go to a different server…)
Or ask getdns to provide the raw cert in the JSON answer (TODO: format
wishlist report) TODO: a good
example in C? Probably use one of the monitoring
plugins. check_dummy.c is a good starting point (specially for the
standard command-line arguments), check_http.c a more complete
one. An advantage of using C is that we may rely on monitoring
plugins' utilities such as the np_net_ssl_check_cert() function in
plugins/sslutils.c, to check the expiration date (we actually used
GnuTLS services). To get the RTT,
getdns can do it (return_call_reporting extension).
Must be able to specify: resolver, of course, but also DNS query name, DNS Query Type, expiration date for the cert (like the check_http plugin), the pinned key… Bonus: being able to test the TLS configuration (no weak cipher, etc) Bonus: check the answer (mandatory content).
Must display the answer, and the RTT.