port icinga DNS and DNSSEC checks to prometheus
convert our Icinga checks to Prometheus. this is part of phase B but spun off of #41639 (closed).
this is the analysis from TPA-RFC-33:
| Name | Check | Type | P | Exporter | Rule level | Note |
|---|---|---|---|---|---|---|
| DNS SOA sync - * | dsa_check_soas_add |
NRPE | E | ??? | warning | checks that zones are in sync on secondaries |
| DNS - delegation and signature expiry | dsa-check-zone-rrsig-expiration-many |
NRPE | E | [dnssec-exporter][] | warning | TODO, drop DNSSEC? see also [check_zone_rrsig_expiration][] which may be related |
| DNS - zones signed properly | dsa-check-zone-signature-all |
NRPE | E | ??? | warning | idem |
| DNS - security delegations | dsa-check-dnssec-delegation |
NRPE | E | ??? | warning | idem |
| DNS - key coverage | dsa-check-statusfile |
NRPE | E | ??? | warning | idem, dsa-check-statusfile /srv/dns.torproject.org/var/nagios/coverage on nevii, could be converted as is |
| DNS - DS expiry | dsa-check-statusfile |
NRPE | E | ??? | warning | idem, dsa-check-statusfile /srv/dns.torproject.org/var/nagios/ds on nevii |
Consider retiring DNSSEC entirely, and that some of those checks have side effects. See also #41671.
see also check_zone_rrsig_expiration which may be related. the check is currently, dsa-check-statusfile /srv/dns.torproject.org/var/nagios/ds on nevii, and the state file is generated by ~dnsadm/bin/dsa-check-and-extend-DS, itself delegating to /srv/dns.torproject.org/repositories/dns-helpers/manage-dnssec-keys.
Edited by anarcat