Skip to content

port icinga DNS and DNSSEC checks to prometheus

convert our Icinga checks to Prometheus. this is part of phase B but spun off of #41639 (closed).

this is the analysis from TPA-RFC-33:

Name Check Type P Exporter Rule level Note
DNS SOA sync - * dsa_check_soas_add NRPE E ??? warning checks that zones are in sync on secondaries
DNS - delegation and signature expiry dsa-check-zone-rrsig-expiration-many NRPE E [dnssec-exporter][] warning TODO, drop DNSSEC? see also [check_zone_rrsig_expiration][] which may be related
DNS - zones signed properly dsa-check-zone-signature-all NRPE E ??? warning idem
DNS - security delegations dsa-check-dnssec-delegation NRPE E ??? warning idem
DNS - key coverage dsa-check-statusfile NRPE E ??? warning idem, dsa-check-statusfile /srv/dns.torproject.org/var/nagios/coverage on nevii, could be converted as is
DNS - DS expiry dsa-check-statusfile NRPE E ??? warning idem, dsa-check-statusfile /srv/dns.torproject.org/var/nagios/ds on nevii

Consider retiring DNSSEC entirely, and that some of those checks have side effects. See also #41671.

see also check_zone_rrsig_expiration which may be related. the check is currently, dsa-check-statusfile /srv/dns.torproject.org/var/nagios/ds on nevii, and the state file is generated by ~dnsadm/bin/dsa-check-and-extend-DS, itself delegating to /srv/dns.torproject.org/repositories/dns-helpers/manage-dnssec-keys.

Edited by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information