Monitoring signature expiration online

Written by Roland van Rijswijk in category: Uncategorized

One of the things we discovered while we were rolling out our deployment is that it is very important to monitor the availability of signed zones (see also this post by Migiel de Vos on monitoring). We have deployed default monitoring based on Nagios, with checks that verify if all signer components are running. One of the things we cannot check that way is whether signatures are valid for long enough. And that is a very important indicator of the status of the signer. Even if the signer daemon is running, that does not guarantee that it is actually resigning the zone correctly.

We therefore decided that we should also monitor the validity of signatures online. To achieve this, we created a small tool that plugs in to Nagios and that can check the validity time of the signatures for either a single resource record or for a whole zone using an AXFR-style transfer.

You can download this tool using the link below; the source distribution includes a README with instructions on building and using the tool. The tool is released under a BSD-style license (included).

Download the tool here: sigvalcheck-0.1.tar.gz

UPDATE: The trunk of OpenDNSSEC also includes a very useful monitoring tool that integrates in Nagios; it is written in Ruby and available through the OpenDNSSEC subversion repository.

3 Comments to “Monitoring signature expiration online”

  1. Jakob Schlyter says:

    Have you tried http://svn.opendnssec.org/trunk/monitor/ ?

  2. Tony Yarusso says:

    When you create plugins like this, don’t forget to add them to http://exchange.nagios.org/ so others can find and use them.

  3. Marco Davids says:

    There’s a little bug in version 0.1 i think. It reveals itself while testing for RRSIG’s that expired way in the past. They are flagged as OK. Reason it the type of the validFor variable. I changed it from ‘int’ to ‘int32_t’ and then things where fine.

    Here’s the patch:
    http://us1.forfun.net/sigvalcheck-0.1.patch

    it was made with:

    ‘diff -rupN sigvalcheck-0.1 sigvalcheck-0.2 > sigvalcheck-0.1.patch’

    Applying the patch goed something like this:

    cp -R sigvalcheck-0.1 sigvalcheck-0.2
    cd sigvalcheck-0.2
    patch < ../sigvalcheck-0.1.patch

    Have fun.

Respond

*