Use posttls-finger to monitor your DANE configuration in icinga2

Posted by Markus Benning on January 13, 2015

First you need to install the posttls-finger command. This command is included in postfix versions >=2.11. On Debian you may just rebuild the packages from unstable for your distribution.

Then download the check_posttls_finger script and make it executable:

curl -o /usr/local/bin/check_delv
chmod 755 /usr/local/bin/check_posttls_finger

Add a command definition to icinga2 by creating /etc/icinga2/conf.d/check_posttls_finger.conf with the following content:

object CheckCommand "posttls_finger" {
    import "plugin-check-command"
    command = [ "/usr/local/bin/check_posttls_finger" ]
    arguments = {
        "--domain" = "$dns_lookup$"
        "--wrap-resolvconf" = {
            set_if = "$dns_wrap_resolvconf$"
    vars.dns_wrap_resolvconf = false

Also add an service definition to /etc/icinga2/conf.d/services.conf:

apply Service "dane-" for (zone => config in host.vars.zones) {
  import "generic-service"
  check_command = "posttls_finger"
  check_interval = 2h
  vars += config
  assign where host.vars.zones

Now configure the domains your want to monitor in your host definitions. For example to monitor

vars.zones[""] = {
  dns_lookup = ""