forked from jpmens/nagval
/
nagval.pandoc
125 lines (90 loc) · 3.35 KB
/
nagval.pandoc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
% NAGVAL(8) User Manuals
% Jan-Piet Mens
% April 4, 2011
# NAME
nagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains
# SYNOPSIS
nagval [-f _file_] [_domain_ _rr_]
# DESCRIPTION
*nagval* (i.e. "Nagios Validator") is a Nagios/Icinga plugin to check the validity
of a DNSSEC-signed zone over the DNS.
Typical use of *nagval* as a Nagios plugin is to specify a single _domain_ and _resource record type_. Optionally, a list of domains can be provided in a file.
# MOTIVATION
Why another DNSSEC validator? There are lots of those around already!
Yes, there are (see below). Most of them retrieve an RRSIG and perform date
arithmetic on the expiration times. Based on an idea I read in a paper
by Stephane Bortzmeyer, I decided to have a validating resolving DNS
server do the brunt of the validation work -- after all, that's what it's
supposed to be good at, right?
That is what *nagval* does. It uses the _dnsval_ library from the DNSSEC-Tools
project to send a query to a validating resolver, evaluating the results returned
in the answer. For example, If I check a domain using a BIND validating resolver
$ nagval jpmens.org SOA
jpmens.org/SOA: SUCCESS
I see the following in BIND's log
query: jpmens.org IN SOA +EDC (127.0.0.1)
query: jpmens.org IN DNSKEY +EDC (127.0.0.1)
query: jpmens.org IN DS +EDC (127.0.0.1)
query: org IN DNSKEY +EDC (127.0.0.1)
query: org IN DS +EDC (127.0.0.1)
query: . IN DNSKEY +EDC (127.0.0.1)
Note how *nagval* issued queries with EDNS0 DNSSEC OK (DO) and Checking Disabled (CD).
# OPTIONS
*nagval* understands the following options.
-f *file*
: Specify a file containing a list of domains to check. The file must contain
a list of domains, one per line, where each domain is optionally followed by
a slash (/) and a DNS resource record type to check. The type defaults to
*SOA* if it is not specified.
-v
: Verbose. Use with _-f_ for verbose output.
Example:
$ cat domains
google.com/A
orange.kame.net/AAAA
ip.jpmens.org/a
infoblox.com/NS
jasadvisors.com/DNSKEY
verisignlabs.com
chainzombies.com/A
sanibar.com
ibadancer.com
wnagele.com/A
b.aa/soa
$ nagval -v -f domains
google.com/A: PINSECURE
orange.kame.net/AAAA: PINSECURE
ip.jpmens.org/A: SUCCESS
infoblox.com/NS: SUCCESS
jasadvisors.com/DNSKEY: SUCCESS
verisignlabs.com/SOA: SUCCESS
chainzombies.com/A: SUCCESS
sanibar.com/SOA: SUCCESS
ibadancer.com/SOA: SUCCESS
wnagele.com/A: SUCCESS
b.aa/SOA: UNTRUSTED_ANSWER
11 domains checked: 8 valid, 3 warnings
# BUGS
Yes.
# RETURN CODES
*nagval* exits with a code 0, 1, or 2 indicating a status of OK, WARNING, or
CRITICAL. Currently, if a domain does not validate a status CRITICAL is issued,
else OK.
# AVAILABILITY
<http://github.com/jpmens/nagval>
# CREDITS
* This program requires *dnsval*, a library provided by the DNSSEC-tools
project <https://www.dnssec-tools.org/>
# INSTALLATION
* Obtain `dnsval-2.1` (or higher) from <http://www.dnssec-tools.org/download/>, extract
and run the typical `./configure && make` thing.
* Adjust `LIBS` in our `Makefile` accordingly
* Run `make`
# SEE ALSO
* `resolver`(5).
* <http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-07>
* <https://github.com/dotse/dnssec-monitor>
* <http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html>
* <http://zonecheck.fr>
# AUTHOR
Jan-Piet Mens <http://mens.de>