First you need to install delv. delv is a new diagnostic tool like dig, but with improved DNSSEC support (read more). It comes with bind 9.10 and newer. If you’re already using bind >9.10 then it should be already installed. Otherwise you can grab the latest bind tarball, compile it and use the compiled delv binary:
tar xzf bind-9.10.1.tar.gz
cd bind-9.10.1
./configure && make
cp bin/delv/delv /usr/local/bin/delv
Then download the check_delv nagios plugin script:
curl -o /usr/local/bin/check_delv https://raw.githubusercontent.com/benningm/nagios-plugins/master/check_delv
chmod 755 /usr/local/bin/check_delv
Add a command definition to icinga2 by creating /etc/icinga2/conf.d/check_delv.conf with the following content:
object CheckCommand "delv" {
import "plugin-check-command"
command = [ "/usr/local/bin/check_delv" ]
arguments = {
"--delv-bin" = "/usr/local/bin/delv"
"--domain" = "$dns_lookup$"
"--dlv" = {
set_if = "$dns_dlv$"
}
}
vars.dns_dlv = 0
}
Also add an service definition to /etc/icinga2/conf.d/services.conf:
apply Service "dnssec-" for (zone => config in host.vars.zones) {
import "generic-service"
check_command = "delv"
check_interval = 2h
vars += config
assign where host.vars.zones
}
Now configure the domains your want to monitor in your host definitions. For example to monitor markusbenning.de:
vars.zones["markusbenning.de"] = {
dns_lookup = "markusbenning.de"
/* dns_dlv = false|true */
}