A simple Icinga/Nagios script to validate DNSSEC
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



An extremely short Nagios/Icinga script to validate the DNSSEC chain of trust. It does so by querying for the SOA record of a zone and validating the records.

As this script validates the chain of trust, it is possible it will report DNSSEC failures for domains that are not the domain's operator's fault. e.g. A DNSSEC issue with the top-level domain will cause an alert.


This script is meant to be invoked by Nagios or Icinga and has the following states:

  • OK: DNSSEC chain was validated
  • WARNING: the DNSSEC validation result was insecure (but not bogus)
  • CRITICAL: the DNSSEC validation result was bogus

This script has 2 options:

  • -z ZONE -- Specifies the zone to be checked, mandatory option
  • --insecure-is-ok -- When the result of the check is insecure, the state is OK and not WARNING


This script is very simple and works in most cases to detect errors in the DNSSEC validation chain. It could use the following:

  • Base the check on python-nagios
  • Configurable location for the root trust anchor
  • Checking the signatures from all nameservers in the final NSSet
  • Checking all signatures from all nameservers (might be slow/expensive and not nice to TLD/root operators)
  • Stop relying on python-unbound (as it is not generally available on e.. Arch) and use dnspython