Zonemaster is a great tool to verify that you have set up your domainservers correctly. You can test it out on https://zonemaster.iis.se/en/
I want my icinga server to this automaticly so i will get a warning as soon something changes, so lets do that. First thing you need to now is that Zonemaster is a tool and is freely available on Github. you can download it and run it on your own machine.
For CentOS 7 you install it using these commands:
sudo yum --enablerepo=extras install epel-release -y sudo yum groupinstall "Development Tools" -y && sudo yum install cpanminus libidn-devel openssl-devel perl-Clone perl-core perl-Devel-CheckLib perl-File-ShareDir perl-File-Slurp perl-IO-Socket-INET6 perl-JSON-PP perl-List-MoreUtils perl-Module-Find perl-Moose perl-Net-IP perl-Pod-Coverage perl-Readonly-XS perl-Test-Differences perl-Test-Exception perl-Test-Fatal perl-Test-Pod perl-YAML -y sudo cpanm Locale::Msgfmt Locale::TextDomain Mail::RFC822::Address Module::Install Module::Install::XSUtil Test::More Text::CSV && sudo cpanm Zonemaster::LDNS Zonemaster::Engine sudo cpanm Zonemaster::CLI
After the installation you should be able to test from zonemaster from your command prompt
[root@icinga dns]# zonemaster-cli dalesjo.net Seconds Level Message ======= ========= ======= 9.02 NOTICE There are neither DS nor DNSKEY records for the zone. 9.02 NOTICE The zone is not signed with DNSSEC. 9.03 NOTICE Child lists no nameserver that resolves to an IPv6 address. If any were present, the minimum allowed would be 2. 9.03 NOTICE Delegation lists no nameserver that resolves to an IPv6 address. If any were present, the minimum allowed would be 2.
The command zonemaster-cli does not give out any usefull exit code so it cannot be used directly with Icinga or Nagios. But a small shell script that looks at the output, and specifically on the Level column will be sufficient. I have uploaded one version with my nagios script on Github. Because icinga/nagios script has an limit of 1024 charachters it will only output warning, errors and critical messages from zonemaster-cli. If not issues hare found, the message ” No issues found for domain x” will be outputed.
Here is an example from icinga when two of your domain servers has different serials because they failed to syncronize.