Skip to content
DNSSEC-monitoring tools used many TLDs
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This repository contains a number of DNSSEC related tools for monitoring of DNSSEC signed zones. Most of the tools are written in Perl.

The tools that are named nagios* are suitable from running as automated tests for monitoring such as Nagios.

List of the tools

Checks a DNSSEC signed domain for the signature validity. Shows warnings if the signature validity is too short, or errors if it is wrongly signed.

    dnssec_monitor [options] [nameservers]


     --help           brief help message
     --zone ZONE      zone to check
     --kskcritical N  check for KSK expire within DAYS days
     --kskwarning  N  check for KSK expire within DAYS days
     --zskcritical N  check for ZSK expire within DAYS days
     --zskwarning  N  check for ZSK expire within DAYS days
     --wildcard       disable the nxdomain check to allow for wildcards
     --nsec3          require NSEC3
     --debug          turn on debugging
     --quiet          be really quiet
     --version        display version and exit

     If no nameservers are specified, all nameservers for ZONE are checked.

This is the same type of tool as dnssec_monitor, suitable for running as a monitoring plugin for Nagios.

Usage: --zone zonename nameserver

            --zone zonename     The zone to test (required argument)
            --kskcritical=i     KSK critical (days) (7 is default)
            --kskwarning=i      KSK warning  (days) (14 is default)
            --zskcritical=i     ZSK critical (days) (1 is default)
            --zskwarning=i      ZSK warning  (days) (3 is default)
            --debug             Debug mode
            --dstport=i         Destination port on name server (53 is default)
            --wildcard          Disable the NXDOMAIN check to allow for wildcards
            --nsec3             Require NSEC3

Monitoring tool to look for open AXFR. Example output:

$ --zone --server
OK: zone transfer refused
Usage: --zone zonename --server nameserver

            --zone zone         The zone to test (required argument)
            --server server     Name server
            --debug             Debug mode
            --timeout=i         Timeout

Currently broken with newer Net::DNS versions.

This tool checks a complete zonefile from AXFR for the validity of DNSSEC signatures.

This timestamp check uses a DNS trick that checks the time on the name servers. The result of the check is a devation from local time per name server:

$ (                                     0 (                                     0

Test a domain for open AXFRs. Returns a list of name servers and the status of an AXFR test, like this:

$ OK: zone transfer refused WARNING: server not authoritative for

This is a shell script that uses for each name server.

You can’t perform that action at this time.