This is a Nagios plugin to check DNSSEC signed zones for signatures which are about to expire.
It is inspired by
but differs in that it performs a transfer of the whole zone so that every signature can be checked.
It depends on the Date::Calc perl module and ISC's dig utility.
./check_full_zone_rrsig_expiration -Z zone -M master [-T [hmac:]name:key] [-c TTLs (1)] [-w TTLs (2)] [-C days (3)] [-W days (4)]
-Z zone zone to test
-M master server to transfer the zone from
-T [hmac:]name:key tsig key used to transfer the zone, same format as dig -y
-c TTLs return critical on rrsigs with less than this many times the ttl of validity remaining, default=1
-w TTLs return warning on rrsigs with less than this many times the ttl of validity remaining, default=2
-C days return critical on signatures with less than this many days of validity remaining, default=3
-W days return warning on signatures with less than this many days of validity remaining, default=4
Feedback to firstname.lastname@example.org is appreciated.