Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it possible to monitor DNSSEC key expiration through Nagios? If so, is it native or does it require a third-party tool? I've been trying to find something that will monitor our DNS key expiration dates and report the keys that are about to expire (>30 days). The ones I have found online seem to require numerous additional packages be installed and/or don't have a lot of support. Can anyone help me out?
Is it possible to monitor DNSSEC key expiration through Nagios? If so, is it native or does it require a third-party tool? I've been trying to find something that will monitor our DNS key expiration dates and report the keys that are about to expire (>30 days). The ones I have found online seem to require numerous additional packages be installed and/or don't have a lot of support. Can anyone help me out?
Don't know of any right off, but writing your own Nagios script isn't difficult. Since you already know how to check that key and have a good idea of the parameters you're looking for, you're in a good spot. This tutorial is pretty detailed, and (if you know how to write a basic bash script), should be easy to modify for your needs. http://community.spiceworks.com/how_...cripts-in-bash
Using it along with expchk should be a simple thing.
Don't know of any right off, but writing your own Nagios script isn't difficult. Since you already know how to check that key and have a good idea of the parameters you're looking for, you're in a good spot. This tutorial is pretty detailed, and (if you know how to write a basic bash script), should be easy to modify for your needs. http://community.spiceworks.com/how_...cripts-in-bash
Using it along with expchk should be a simple thing.
Thanks for the link. I'm having trouble figuring out the best way to query the zone-signing keys, to check the "Inactive" date. Would 'sed' work better than 'grep'? I would need to pass those results to another command (compare them to the current date), to verify if they are less than a set number of days from expiring. I could be confusing myself and over-thinking this, but it now seems like something that is out of my scripting ability.
Thanks for the link. I'm having trouble figuring out the best way to query the zone-signing keys, to check the "Inactive" date. Would 'sed' work better than 'grep'? I would need to pass those results to another command (compare them to the current date), to verify if they are less than a set number of days from expiring. I could be confusing myself and over-thinking this, but it now seems like something that is out of my scripting ability.
..will put the number output into the variable you can now call as $var. From there, just do a simple check..if it's less than xx it's ok; greater than xx, warn; greater than yy, critical. Then you'll have three thresholds you can put into Nagios.
..will put the number output into the variable you can now call as $var. From there, just do a simple check..if it's less than xx it's ok; greater than xx, warn; greater than yy, critical. Then you'll have three thresholds you can put into Nagios.
I installed the perl packages found here and tried running the script located at the link that was posted above, but got this error:
Code:
Can't locate Net/DNS/SEC/Tools/conf.pm in @INC (@INC contains: /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at ./zone_key_check.sh line 16.
BEGIN failed--compilation aborted at ./zone_key_check.sh line 16.
Does anyone know what else I need to install to resolve this?
I installed the perl packages found here and tried running the script located at the link that was posted above, but got this error:
Code:
Can't locate Net/DNS/SEC/Tools/conf.pm in @INC (@INC contains: /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at ./zone_key_check.sh line 16.
BEGIN failed--compilation aborted at ./zone_key_check.sh line 16.
Does anyone know what else I need to install to resolve this?
..the INSTALL file has good instructions on what dependencies you need, and where to get them. Not a tough install...
Okay, I've got everything installed (I think). When I first tried to run the script I got this:
Code:
[root@ustc-dns1 keys]# /usr/local/sbin/zone_key_check.sh -all
usage: expchk [options] <keyrec files>
options:
-all show all zones
-expired show expired zones
-valid show valid zones
-warn <num> warn if expiration in <num> days
-zone <name> show the specified zone only
-count only show the count of matching zones
-help display this help message
-Version display version number
I tried different command line arguments, but I always get the 'help' screen in return. I tried running the command: /usr/local/sbin/zone_key_check.sh -valid /etc/named/keys/ but got nothing in return, just a new command-line. I also tried running the script with an actual zone key path in the command and it returned the same thing. I edited the dnssec-tools.conf file to reflect the correct command path names, but could not get any results from the command. Is there a specific command line format that I should use?
Okay, I've got everything installed (I think). When I first tried to run the script I got this:
Code:
[root@ustc-dns1 keys]# /usr/local/sbin/zone_key_check.sh -all
usage: expchk [options] <keyrec files>
options:
-all show all zones
-expired show expired zones
-valid show valid zones
-warn <num> warn if expiration in <num> days
-zone <name> show the specified zone only
-count only show the count of matching zones
-help display this help message
-Version display version number
I tried different command line arguments, but I always get the 'help' screen in return. I tried running the command: /usr/local/sbin/zone_key_check.sh -valid /etc/named/keys/ but got nothing in return, just a new command-line. I also tried running the script with an actual zone key path in the command and it returned the same thing. I edited the dnssec-tools.conf file to reflect the correct command path names, but could not get any results from the command. Is there a specific command line format that I should use?
You're getting that because the expchk command needs an argument, and you're not providing one, so it's returning the help screen. Run the expchk command on its own first, and put in some of the options you see above. Try "-all", "-warn", or "-expired", to see what it returns. Parse that output with your script to check on what's up.
Can you also post the contents of zone_key_check.sh?? Unless we see that, we can't tell you what might be going on.
You're getting that because the expchk command needs an argument, and you're not providing one, so it's returning the help screen. Run the expchk command on its own first, and put in some of the options you see above. Try "-all", "-warn", or "-expired", to see what it returns. Parse that output with your script to check on what's up.
Can you also post the contents of zone_key_check.sh?? Unless we see that, we can't tell you what might be going on.
The content of zone_key_check.sh is from the link you provided above (https://www.dnssec-tools.org/svn/dns...scripts/expchk). I named it that, so other admins could easily identify it. (I've since replaced the 'sh' with 'pl' since it's a perl script) I have tried using various command-line arguments and I never get any response about current or expiring keys. I was trying to get a response on the command-line before I start working on a script to parse the output and try to incorporate it into Nagios. I just want to make sure everything is working up to this point, but I can't get an expected response. I've spoken with the admin that has been working on our DNS and he says dnssec-signzone was used to incorporate the keys into the zone record and dnssec-keygen is used to generate the actual keys, so DNSSec tools were used, but I can't get them to cooperate!
The content of zone_key_check.sh is from the link you provided above (https://www.dnssec-tools.org/svn/dns...scripts/expchk). I named it that, so other admins could easily identify it. (I've since replaced the 'sh' with 'pl' since it's a perl script)
Yes, but the name of that program is expchk, and should be named expchk.pl. It even has a man page under that name: http://linux.die.net/man/1/expchk
Renaming it is a bit confusing.
Quote:
I have tried using various command-line arguments and I never get any response about current or expiring keys. I was trying to get a response on the command-line before I start working on a script to parse the output and try to incorporate it into Nagios. I just want to make sure everything is working up to this point, but I can't get an expected response. I've spoken with the admin that has been working on our DNS and he says dnssec-signzone was used to incorporate the keys into the zone record and dnssec-keygen is used to generate the actual keys, so DNSSec tools were used, but I can't get them to cooperate!
I appreciate all the help so far. I renamed the script, as you suggested, and tried the command again and got nothing. Is this the right format for the key names: Kxxx.xxx.xxx.in-addr.arpa.+xxx+xxxxx.key, Kxxx.xxx.xxx.in-addr.arpa.+xxx.xxxxx.private, Kdomain.name.mil.+xxx+xxxxx.key? I entered
I appreciate all the help so far. I renamed the script, as you suggested, and tried the command again and got nothing. Is this the right format for the key names: Kxxx.xxx.xxx.in-addr.arpa.+xxx+xxxxx.key, Kxxx.xxx.xxx.in-addr.arpa.+xxx.xxxxx.private, Kdomain.name.mil.+xxx+xxxxx.key?
Are your key files in that directory? And do you have any named "filename"??? What I gave above was just an example...you have to replace filename with the name of the file you want to check, including the path....
Are your key files in that directory? And do you have any named "filename"??? What I gave above was just an example...you have to replace filename with the name of the file you want to check, including the path....
I'm sorry, I meant to put that into italics. Yes, all our keys are in that directory and yes I have tried it with specific key file names and on the directory as a whole (/etc/named/keys/*). I have tried every command line argument that I could think of and nothing provides a response. The only thing that provides an expected response is the -Version argument; everything else gives me nothing.
Could I be missing a Perl add-on? I installed: Net:: DNS, Net:: DNS::SEC, Test::More, IO::Socket, MIME::Base64, Digest::MD5, and Digest::HMAC_MD5. These were the only ones that I saw listed as required or as prerequisites.
I'm sorry, I meant to put that into italics. Yes, all our keys are in that directory and yes I have tried it with specific key file names and on the directory as a whole (/etc/named/keys/*). I have tried every command line argument that I could think of and nothing provides a response. The only thing that provides an expected response is the -Version argument; everything else gives me nothing.
Could I be missing a Perl add-on? I installed: Net:: DNS, Net:: DNS::SEC, Test::More, IO::Socket, MIME::Base64, Digest::MD5, and Digest::HMAC_MD5. These were the only ones that I saw listed as required or as prerequisites.
Could be...did you install them?? They're listed as required because they're all used, so if you're missing one/more of them, things won't work correctly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.