Monitoring signature expiration online

One of the things we discovered while we were rolling out our deployment is that it is very important to monitor the availability of signed zones (see also this post by Migiel de Vos on monitoring). We have deployed default monitoring based on Nagios, with checks that verify if all signer components are running. One of the things we cannot check that way is whether signatures are valid for long enough. And that is a very important indicator of the status of the signer. Even if the signer daemon is running, that does not guarantee that it is actually resigning the zone correctly.

Screenshot of computer settings

We therefore decided that we should also monitor the validity of signatures online. To achieve this, we created a small tool that plugs in to Nagios and that can check the validity time of the signatures for either a single resource record or for a whole zone using an AXFR-style transfer.

You can download this tool using the link below; the source distribution includes a README with instructions on building and using the tool. The tool is released under a BSD-style license (included).

Download the tool here: sigvalcheck-0.1.tar.gz

UPDATE: The trunk of OpenDNSSEC also includes a very useful monitoring tool that integrates in Nagios; it is written in Ruby and available through the OpenDNSSEC subversion repository.

Author

Comments

Dit artikel heeft 0 reacties