/
nagval.8
148 lines (147 loc) · 3.78 KB
/
nagval.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
.TH "NAGVAL" "8" "April 4, 2011" "User Manuals" ""
.SH NAME
.PP
nagval \- Nagios/Icinga plugin to check validity of one or more DNSSEC
domains
.SH SYNOPSIS
.PP
nagval [\-f \f[I]file\f[]] [\f[I]domain\f[] \f[I]rr\f[]]
.SH DESCRIPTION
.PP
\f[I]nagval\f[] (i.e.
"Nagios Validator") is a Nagios/Icinga plugin to check the validity of a
DNSSEC\-signed zone over the DNS.
.PP
Typical use of \f[I]nagval\f[] as a Nagios plugin is to specify a single
\f[I]domain\f[] and \f[I]resource record type\f[].
Optionally, a list of domains can be provided in a file.
.SH MOTIVATION
.PP
Why another DNSSEC validator?
There are lots of those around already! Yes, there are (see below).
Most of them retrieve an RRSIG and perform date arithmetic on the
expiration times.
Based on an idea I read in a paper by Stephane Bortzmeyer, I decided to
have a validating resolving DNS server do the brunt of the validation
work \-\- after all, that\[aq]s what it\[aq]s supposed to be good at,
right?
.PP
That is what \f[I]nagval\f[] does.
It uses the \f[I]dnsval\f[] library from the DNSSEC\-Tools project to
send a query to a validating resolver, evaluating the results returned
in the answer.
For example, If I check a domain using a BIND validating resolver
.IP
.nf
\f[C]
$\ nagval\ jpmens.org\ SOA
jpmens.org/SOA:\ SUCCESS
\f[]
.fi
.PP
I see the following in BIND\[aq]s log
.IP
.nf
\f[C]
query:\ jpmens.org\ IN\ SOA\ +EDC\ (127.0.0.1)
query:\ jpmens.org\ IN\ DNSKEY\ +EDC\ (127.0.0.1)
query:\ jpmens.org\ IN\ DS\ +EDC\ (127.0.0.1)
query:\ org\ IN\ DNSKEY\ +EDC\ (127.0.0.1)
query:\ org\ IN\ DS\ +EDC\ (127.0.0.1)
query:\ .\ IN\ DNSKEY\ +EDC\ (127.0.0.1)
\f[]
.fi
.PP
Note how \f[I]nagval\f[] issued queries with EDNS0 DNSSEC OK (DO) and
Checking Disabled (CD).
.SH OPTIONS
.PP
\f[I]nagval\f[] understands the following options.
.TP
.B \-f \f[I]file\f[]
Specify a file containing a list of domains to check.
The file must contain a list of domains, one per line, where each domain
is optionally followed by a slash (/) and a DNS resource record type to
check.
The type defaults to \f[I]SOA\f[] if it is not specified.
.RS
.RE
.TP
.B \-v
Verbose.
Use with \f[I]\-f\f[] for verbose output.
.RS
.RE
.PP
Example:
.IP
.nf
\f[C]
$\ cat\ domains
google.com/A
orange.kame.net/AAAA
ip.jpmens.org/a
infoblox.com/NS
jasadvisors.com/DNSKEY
verisignlabs.com
chainzombies.com/A
sanibar.com
ibadancer.com
wnagele.com/A
b.aa/soa
$\ nagval\ \-v\ \-f\ domains
google.com/A:\ PINSECURE
orange.kame.net/AAAA:\ PINSECURE
ip.jpmens.org/A:\ SUCCESS
infoblox.com/NS:\ SUCCESS
jasadvisors.com/DNSKEY:\ SUCCESS
verisignlabs.com/SOA:\ SUCCESS
chainzombies.com/A:\ SUCCESS
sanibar.com/SOA:\ SUCCESS
ibadancer.com/SOA:\ SUCCESS
wnagele.com/A:\ SUCCESS
b.aa/SOA:\ UNTRUSTED_ANSWER
11\ domains\ checked:\ 8\ valid,\ 3\ warnings
\f[]
.fi
.SH BUGS
.PP
Yes.
.SH RETURN CODES
.PP
\f[I]nagval\f[] exits with a code 0, 1, or 2 indicating a status of OK,
WARNING, or CRITICAL.
Currently, if a domain does not validate a status CRITICAL is issued,
else OK.
.SH AVAILABILITY
.PP
<http://github.com/jpmens/nagval>
.SH CREDITS
.IP \[bu] 2
This program requires \f[I]dnsval\f[], a library provided by the
DNSSEC\-tools project <https://www.dnssec-tools.org/>
.SH INSTALLATION
.IP \[bu] 2
Obtain \f[C]dnsval\-2.1\f[] (or higher) from
<http://www.dnssec-tools.org/download/>, extract and run the typical
\f[C]\&./configure\ &&\ make\f[] thing.
.IP \[bu] 2
Adjust \f[C]LIBS\f[] in our \f[C]Makefile\f[] accordingly
.IP \[bu] 2
Run \f[C]make\f[]
.SH SEE ALSO
.IP \[bu] 2
\f[C]resolver\f[](5).
.IP \[bu] 2
<http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-07>
.IP \[bu] 2
<https://github.com/dotse/dnssec-monitor>
.IP \[bu] 2
<http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html>
.IP \[bu] 2
<http://zonecheck.fr>
.SH AUTHOR
.PP
Jan\-Piet Mens <http://mens.de>
.SH AUTHORS
Jan\-Piet Mens.