Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This repository contains a number of DNSSEC related tools for monitoring of DNSSEC signed zones. Most of the tools are written in Perl.

The tools that are named nagios* are suitable from running as automated tests for monitoring such as Nagios.

List of the tools

Checks a DNSSEC signed domain for the signature validity. Shows warnings if the signature validity is too short, or errors if it is wrongly signed.

    dnssec_monitor [options] [nameservers]


     --help           brief help message
     --zone ZONE      zone to check
     --kskcritical N  check for KSK expire within DAYS days
     --kskwarning  N  check for KSK expire within DAYS days
     --zskcritical N  check for ZSK expire within DAYS days
     --zskwarning  N  check for ZSK expire within DAYS days
     --wildcard       disable the nxdomain check to allow for wildcards
     --nsec3          require NSEC3
     --debug          turn on debugging
     --quiet          be really quiet
     --version        display version and exit

     If no nameservers are specified, all nameservers for ZONE are checked.

This is the same type of tool as dnssec_monitor, suitable for running as a monitoring plugin for Nagios.

Usage: --zone zonename nameserver

            --zone zonename     The zone to test (required argument)
            --kskcritical=i     KSK critical (days) (7 is default)
            --kskwarning=i      KSK warning  (days) (14 is default)
            --zskcritical=i     ZSK critical (days) (1 is default)
            --zskwarning=i      ZSK warning  (days) (3 is default)
            --debug             Debug mode
            --dstport=i         Destination port on name server (53 is default)
            --wildcard          Disable the NXDOMAIN check to allow for wildcards
            --nsec3             Require NSEC3

Monitoring tool to look for open AXFR. Example output:

$ --zone --server
OK: zone transfer refused
Usage: --zone zonename --server nameserver

            --zone zone         The zone to test (required argument)
            --server server     Name server
            --debug             Debug mode
            --timeout=i         Timeout

Currently broken with newer Net::DNS versions.

This tool checks a complete zonefile from AXFR for the validity of DNSSEC signatures.

This timestamp check uses a DNS trick that checks the time on the name servers. The result of the check is a devation from local time per name server:

$ (                                     0 (                                     0

Test a domain for open AXFRs. Returns a list of name servers and the status of an AXFR test, like this:

$ OK: zone transfer refused WARNING: server not authoritative for

This is a shell script that uses for each name server.