Use delv to monitor your DNSSEC configuration in icinga2

Posted by Markus Benning on January 13, 2015

First you need to install delv. delv is a new diagnostic tool like dig, but with improved DNSSEC support (read more). It comes with bind 9.10 and newer. If you’re already using bind >9.10 then it should be already installed. Otherwise you can grab the latest bind tarball, compile it and use the compiled delv binary:

tar xzf bind-9.10.1.tar.gz
cd bind-9.10.1
./configure && make
cp bin/delv/delv /usr/local/bin/delv

Then download the check_delv nagios plugin script:

curl -o /usr/local/bin/check_delv
chmod 755 /usr/local/bin/check_delv

Add a command definition to icinga2 by creating /etc/icinga2/conf.d/check_delv.conf with the following content:

object CheckCommand "delv" {
    import "plugin-check-command"
    command = [ "/usr/local/bin/check_delv" ]
    arguments = {
        "--delv-bin" = "/usr/local/bin/delv"
        "--domain" = "$dns_lookup$"
        "--dlv" = {
            set_if = "$dns_dlv$"
   vars.dns_dlv = 0

Also add an service definition to /etc/icinga2/conf.d/services.conf:

apply Service "dnssec-" for (zone => config in host.vars.zones) {
  import "generic-service"
  check_command = "delv"
  check_interval = 2h
  vars += config
  assign where host.vars.zones

Now configure the domains your want to monitor in your host definitions. For example to monitor

vars.zones[""] = {
  dns_lookup = ""
  /* dns_dlv = false|true */