Monitoring DNSSEC with Nagios on Debian Wheezy

OpenDNSSEC contains a Nagios Plugin written in Ruby, that can be used to monitor a signed zone. The README file shows the usage.

According to my tests on Debian Wheezy the script can only be run with Ruby 1.8. So you install some packages first:

apt-get install ruby1.8 libdns-ruby1.8 libruby1.8 ruby-dnsruby rubygems

Make a quick check to see that everything is okay:

/home/user/dnssec_monitor.rb -z dnssec.cc --kskwarn 12 -n a.dnssecns.de`
6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
6 : (a.dnssecns.de): Adding ksk : 53095
6 : (a.dnssecns.de): Adding zsk : 64429
6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
6 : (a.dnssecns.de): dnssec.cc, NS verified OK
6 : (a.dnssecns.de): Checking non-existing domain for dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
6 : Finished checking on a.dnssecns.de(a.dnssecns.de)

Please note that the nameserver a.dnssecns.de must allow you to perform recursive queries. You can omit the -n parameter, if you want to use the default resolvers.

You’re now ready to add a new command to your commands.cfg.

define command {
    command_name    check_dnssec_a
    command_line    /home/user/dnssec_monitor.rb -z $ARG1$ --kskwarn 12 -n $HOSTADDRESS$
}

I set KSK expire warning days to 12, because my OpenDNSSEC will keep signatures valid for up to the default of 14 days. $ARG1$ will be later replaced by the zone that should be checked. $HOSTADDRESS$ is the Nagios host that we’ll be using as nameserver for the check. In my setup this is the primary nameserver.

You can now add a service to your hostname.cfg of the primary nameserver.

define service{
    use                    generic-service
    host_name              a.dnssecns.de
    service_description    DNSSEC dnssec.cc
    check_command          check_dnssec_a!dnssec.cc
    }

Now it’s time to reload Nagios and activate the checks.

/etc/init.d/nagios3 reload
[ ok ] Reloading nagios3 monitoring daemon configuration files: nagios3.

Now you should be notified, if anything goes wrong with your zone.

I added some checks for OpenDNSSEC, too. On the server hosting the signer and enforcer, I added a NRPE check for the processes running in /etc/nagios/nrpe_local.cfg

command[check_ods_enforcerd]=/usr/lib/nagios/plugins/check_procs -c 1:1 -u 104 -C ods-enforcerd
command[check_ods_signerd]=/usr/lib/nagios/plugins/check_procs -c 1:1 -u 104 -C ods-signerd

Don’t forget to reload the NRPE server configuration:

/etc/init.d/nagios-nrpe-server reload
[ ok ] Reloading nagios-nrpe configuration files: nagios-nrpe.

On the Nagios server I added generic services to call these NRPE checks in services_nagios2.cfg.

define service {
    use                     generic-service
    hostgroup_name          opendnssec
    service_description     OpenDNSSEC Enforcer
    check_command           check_nrpe_1arg!check_ods_enforcerd
}

define service {
    use                     generic-service
    hostgroup_name          opendnssec
    service_description     OpenDNSSEC Signer
    check_command           check_nrpe_1arg!check_ods_signerd
}

Now just the hostgroup is missing (hostgroups_nagios2.cfg):

define hostgroup {
     hostgroup_name  opendnssec
     members         a.dnssecns.de
}

See above for Nagios reload.