Nagios/Icinga plugin to check validity of one or more DNSSEC domains
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
Makefile
README.md
dnsval.conf
nagval.8
nagval.c
nagval.pandoc
resolv.conf

README.md

NAME

nagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains

SYNOPSIS

nagval [-f file] [domain rr]

DESCRIPTION

nagval (i.e. "Nagios Validator") is a Nagios/Icinga plugin to check the validity of a DNSSEC-signed zone over the DNS.

Typical use of nagval as a Nagios plugin is to specify a single domain and resource record type. Optionally, a list of domains can be provided in a file.

MOTIVATION

Why another DNSSEC validator? There are lots of those around already! Yes, there are (see below). Most of them retrieve an RRSIG and perform date arithmetic on the expiration times. Based on an idea I read in a paper by Stephane Bortzmeyer, I decided to have a validating resolving DNS server do the brunt of the validation work -- after all, that's what it's supposed to be good at, right?

That is what nagval does. It uses the dnsval library from the DNSSEC-Tools project to send a query to a validating resolver, evaluating the results returned in the answer. For example, If I check a domain using a BIND validating resolver

$ nagval jpmens.org SOA
jpmens.org/SOA: SUCCESS

I see the following in BIND's log

query: jpmens.org IN SOA +EDC (127.0.0.1)
query: jpmens.org IN DNSKEY +EDC (127.0.0.1)
query: jpmens.org IN DS +EDC (127.0.0.1)
query: org IN DNSKEY +EDC (127.0.0.1)
query: org IN DS +EDC (127.0.0.1)
query: . IN DNSKEY +EDC (127.0.0.1)

Note how nagval issued queries with EDNS0 DNSSEC OK (DO) and Checking Disabled (CD).

OPTIONS

nagval understands the following options.

-f file : Specify a file containing a list of domains to check. The file must contain a list of domains, one per line, where each domain is optionally followed by a slash (/) and a DNS resource record type to check. The type defaults to SOA if it is not specified. -v : Verbose. Use with -f for verbose output.

Example:

$ cat domains
google.com/A
orange.kame.net/AAAA
ip.jpmens.org/a
infoblox.com/NS
jasadvisors.com/DNSKEY
verisignlabs.com
chainzombies.com/A
sanibar.com
ibadancer.com
wnagele.com/A
b.aa/soa

$ nagval -v -f domains
google.com/A: PINSECURE
orange.kame.net/AAAA: PINSECURE
ip.jpmens.org/A: SUCCESS
infoblox.com/NS: SUCCESS
jasadvisors.com/DNSKEY: SUCCESS
verisignlabs.com/SOA: SUCCESS
chainzombies.com/A: SUCCESS
sanibar.com/SOA: SUCCESS
ibadancer.com/SOA: SUCCESS
wnagele.com/A: SUCCESS
b.aa/SOA: UNTRUSTED_ANSWER
11 domains checked: 8 valid, 3 warnings

BUGS

Yes.

RETURN CODES

nagval exits with a code 0, 1, or 2 indicating a status of OK, WARNING, or CRITICAL. Currently, if a domain does not validate a status CRITICAL is issued, else OK.

AVAILABILITY

http://github.com/jpmens/nagval

CREDITS

INSTALLATION

SEE ALSO

AUTHOR

Jan-Piet Mens http://mens.de