New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check_dig: -T soa broken as of version 2.4.3 #738
Comments
Hi, Maggu. IMO, the problem with the old behaviour is that, when for example one is testing any given DNS record for a required specific value:
If partial matches are accepted, then it's impossible for Nagios to check that the A record is correct, because a match string of "4.2.2.2" could match 4.2.2.200 or 204.2.2.29, or any of dozens of things. What specific DNS functionality are you hoping to monitor/verify with your SOA request? I'm wondering if there is a less verbose resource record, one that is also less likely to frequently change, that might be a better surrogate. If all you want to check is that an SOA of some type does indeed exist, then your example works for me if I omit the trailing dot on the domain:
|
Hello! Yes, I completely understand why it was changed and what the change was meant to solve. I'm trying to point out that the change is also breaking other things. One thing we're monitoring is that the domain delegation is correct. If you have several domains, not all of them might be actively used and a change might not otherwise be noted. For example, if the registration expires or the domain is somehow hijacked. If you're a large organization, at least the first case tends to happen occasionally because of human errors. I don't believe we're alone in this. I also currently don't see a good alternative. Just verifying that a SOA exists is not enough. NS records are hard to monitor, since there are always multiple ones and you can't know which one you will get back in the reply. I suppose possible solutions might be to introduce a new flag to modify the behaviour, or to stop comparing if whitespace is encountered. That latter should be enough to solve the A/AAAA issue I guess. |
Hmm. Actually, monitoring NS records seems to work. check_dig handles it better than I thought. |
I've rewritten our SOA checks to NS checks and upgraded from 2.4.0 to 2.4.6 in the test environment. Those now work. However, there are apparently also issues with PTR records in 2.4.3: With 2.4.0:
With 2.4.6:
|
Just as additional information, even as of 2.4.4:
|
I see. So in fact a different bug then. Should I create a new issue? |
My Gee, I asked you this, but I didn't ponder the question myself. I am using Once you have both
HTH, Jim |
I do get spaces with dig and tabs with drill, yes.
Would you mind sharing the thoughts behind this experiment? I take it then that you are unable to reproduce it with 2.4.6 on your system? |
|
My PR #745 seems to fixes this issue also. |
Awesome! Then it looks like all my problems have some solution. If the decision is that SOA monitoring shouldn't work with this plugin in the future, I think the issue can be closed. |
I'm realizing now that I never commented on this issue - sorry about that. If you're relying on the plugin to monitor SOA records and that's broken now, then we broke backward compatibility and my intention is for us to fix that in a future release. I agree with other commenters that the majority of DNS monitoring will probably want an exact match, but the decision we usually make there is to introduce a flag that allows exact matching (see also |
It would appear that check_dig now requires exact matches (PR #652), or the result is a "WARNING".
This completely breaks any monitoring of SOA records. Unless I'm mistaken, there's no way to even use "-T soa" and not get a "WARNING"? That is unless the SOA serial number is included, and it goes without saying that's not really feasible.
This worked fine before 2.4.3. I would appreciate to have an option for partial matches available again.
The text was updated successfully, but these errors were encountered: