There is a great plugin for Nagios to do signature verification. http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html $ cd /usr/local/libexec/nagios Grab a copy from our local repository: $ sudo fetch http://noc.ws.nsrc.org/downloads/check_zone_rrsig_expiration Make the plugin executable $ sudo chmod +x check_zone_rrsig_expiration Test the plugin works, manually: ./check_zone_rrsig_expiration -Z MYTLD -W 120 -C 60 Ok, now we're going to create a Nagios command to use the plugin: $ cd /usr/local/etc/nagios/objects $ sudo vi commands.cfg Add the following lines: - - - - - - - - - - - - copy below - - - - - - - - - - - - # Copy the command_line below is one long line, not two! define command { command_name check-zone-rrsig command_line /usr/local/libexec/nagios/check_zone_rrsig_expiration -Z $HOSTADDRESS$ -W 90 -C 60 } - - - - - - - - - - - - copy above - - - - - - - - - - - - Save the file, and now we're going to create a "Host" - in reality, it's our zone, but we make Nagios believe it's testing a machine: $ sudo vi objects/dns-servers.cfg - - - - - - - - - - - - copy below - - - - - - - - - - - - ## Define new service for checking signatures! define service { use generic-service hostgroup_name my-zones ; The group using this service service_description DNS RRSIG ; The name of our group check_command check-zone-rrsig ; Command to check the SIGs ? } # Host group for zones define hostgroup { hostgroup_name my-zones ; Our new hostgroup members MYDOMAIN ; The zones ("hosts") - replace! } # Zone 'phil' define host { use generic-host max_check_attempts 3 contact_groups admins host_name MYDOMAIN ; replace with your zone! } - - - - - - - - - - - - copy above - - - - - - - - - - - - Now, time to verify the nagios configuration works $ sudo nagios -v nagios.cfg Check that there are no errors! Time to restart Nagios $ sudo service nagios restart Go to the web interface, and check the services! http://10.10.X.1/nagios/