Monitoring by customer is one way to monitor services. In some cases customers will start looking for similar service somewhere else, in some cases you are in trouble because you break your SLAs.
Ans do monitor all related services. One common example are SSL certificates. Here are three other examples:
1. When you are running an IRC Server and have your domain secured with DNSSEC monitor your server, your service and your DNSSEC signatures.
2. When you are running DNSSEC secured domains for a customer and are using an HSM (Hardware Security Module), monitor your servers, your services, your DNSSEC signatures and the rest of the infrastructure including the HSM.
3. If you are using DANE (for SMTP) and are communicating with other people using DANE your communication will fail when your DNSSEC signatures are expired. And when you fixed your setup do not wonder about all the mail you are getting. And on the other side you should monitor your log files.
And when you do monitor DNSSEC: When the signatures are expired it’s too late. You should get a warning
For 1 and 2: I’m using check_dnssec_expiration (https://github.com/MonitoringPlug/monitoringplug)
For 3: status=deferred (Server certificate not trusted) should be the correct term in you postfix log file.
It’s the last Friday of July so Happy Sysadminday to you all
Looks like ARIN is (almost) out of IPv4 space. When I checked they had 88 /23 and 440 /24 networks left.
A story I was told recently and loosely related to todays other post
Boss is telling one of his admins that there is plenty of time to implement IPv6. At least a couple of years. A week later one of their sales people sold IPv6 support to a big customer.
I’ve been saying it for years: “Even if you don’t implement IPv6 right away make sure that new hard- and software you are buying supports IPv6.”
In the last couple of month I hear lot of complaints: “We can’t do IPv6. We just bought $product last year and it does not support IPV6.”
Terdo and 6to4. In case you haven’t noticed: looking up teredo.microsoft.com will lead to NXDOMAIN. See this Posting on the NANOG Mailinglist for details. And 6to4 was deprecated, see RFC7526.
Sometimes I like to know if a given domain uses IPv6 (and DNSSEC).
I finished a small shell script last week to automate this task.
jens@screen:~/check_dns.git$ ./check_dns.sh quux.de
Domain has DNSSEC
Host has at least one AAAA record
At least one nameserver has an AAAA record
At least one MX has an AAAA record
Maybe I’ll add some checks to see if those IPv6 addresses are really accessible.
I’m just working on a distributed Icinga2 setup (I’ll write more about it later this month). There is a lot SNMP monitoring involved an today I tried to get some MIBs
1. Why do I need an account (and probably a support contract) to download MIBs?
2. Naming an archive mib.zip is a stupid idea. I now have several files with the same name. All from different vendors.
3. Advertising SNMP and then only returning sysUptime, sysLocation, etc. is also ….
And another one for the wall of shame:
[jens:~] $ host forge.puppetlabs.com
forge.puppetlabs.com is an alias for forge-web-fr.puppetlabs.com.
forge-web-fr.puppetlabs.com has address 220.127.116.11
Too bad when your puppet master is IPv6 only and you want to install or upgrade
I just filed a (Bug).
$ git clone https://github.com/.....
error: Failed to connect to 18.104.22.168: Network is unreachable while accessing https://github.com/.....
fatal: HTTP request failed
Which is correct. My host has no vintage IP address.