check_full_zone_rrsig_expiration

This is a Nagios plugin to check DNSSEC signed zones for signatures which are about to expire.

It is inspired by http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html, but differs in that it performs a transfer of the whole zone so that every signature can be checked.

It depends on the Date::Calc perl module and ISC's dig utility.


./check_full_zone_rrsig_expiration -Z zone -M master [-T [hmac:]name:key] [-c TTLs (1)] [-w TTLs (2)] [-C days (3)] [-W days (4)]

    -Z zone               zone to test
    -M master             server to transfer the zone from
    -T [hmac:]name:key    tsig key used to transfer the zone, same format as dig -y
    -c TTLs               return critical on rrsigs with less than this many times the ttl of validity remaining, default=1
    -w TTLs               return warning on rrsigs with less than this many times the ttl of validity remaining, default=2
    -C days               return critical on signatures with less than this many days of validity remaining, default=3
    -W days               return warning on signatures with less than this many days of validity remaining, default=4
   

Here's the source:
check_full_zone_rrsig_expiration.pl

Feedback to dave@knig.ht is appreciated.