Thanks for sharing. I take a slightly different approach and also test that an incorrectly signed zone comes back as SERVFAIL.
I just posted my 1.0 release of the plugin on the NAGIOS Exchange (https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS) and it will be visible once approved. I'd appreciate your similar feedback. Frank -----Original Message----- From: Wessels, Duane [mailto:[email protected]] Sent: Friday, July 24, 2015 4:42 PM To: Frank Bulk <[email protected]> Cc: [email protected] Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec validation Its been a while since you wrote about this, but I've attempted to implement a nagios plugin along these lines. https://github.com/verisign/check_recursive_validation I believe it works the way you've described and would welcome any feedback. DW > On Jul 13, 2015, at 10:08 PM, Frank Bulk <[email protected]> wrote: > > Is there an existing tool, ideally a NAGIOS-friendly one, that performs a > check against a resolver that it gets an AD back on DNSSec query for a zone > that is properly signed, failure for one that is not properly signed, and > nothing for one that isn't signed? > http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation > > I'd rather not re-invent the wheel if it already exists. > > Regards, > > Frank Bulk > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
