We already wrote about . Now, all our domains are DNSSEC-signed and with automatic key rollovers we don't really need to worry too much about expired signatures, but this is yet another layer of technology... and it's always worth having an eye on it.

We again use Wazuh command monitoring (see previous article) and custom rules, but instead of curl we use delv command from dnsutils package on Ubuntu.

Relevant section from ossec.conf:

<localfile>
     <log_format>command</log_format>
     <command>delv webcookies.org +cd</command>
     <alias>delv webcookies.org</alias>
     <frequency>3600</frequency>
</localfile>

Now, a word on the delv command — it dig equivalent for DNSSEC that performs delegation validation of the whole signature chain from TLD to your domain records. Usually you can call it just like delv webcookies.org which will return fully validated when everything is OK. In case of Wazuh monitoring, we are however concerned more with cases where noteverything is OK and delv's answer here is less useful. Therefore we add the +cd option to get the full detail:

$ delv signotincepted.bad-dnssec.wb.sidnlabs.nl +cd
;; validating signotincepted.bad-dnssec.wb.sidnlabs.nl/DS: verify failed due to bad signature (keyid=56725): RRSIG validity period has not begun
;; validating signotincepted.bad-dnssec.wb.sidnlabs.nl/DS: no valid signature found
;; RRSIG validity period has not begun resolving 'signotincepted.bad-dnssec.wb.sidnlabs.nl/DS/IN': 192.168.1.254#53
;; validating signotincepted.bad-dnssec.wb.sidnlabs.nl/DNSKEY: bad cache hit (signotincepted.bad-dnssec.wb.sidnlabs.nl/DS)
;; broken trust chain resolving 'signotincepted.bad-dnssec.wb.sidnlabs.nl/DNSKEY/IN': 192.168.1.254#53
;; broken trust chain resolving 'signotincepted.bad-dnssec.wb.sidnlabs.nl/A/IN': 192.168.1.254#53
;; resolution failed: broken trust chain

Now, all these unique strings are precisely what we can point Wazuh at! So here are the custom rules (see previous article for details how to add them):

<group name="ossec,dnssec,">
    <rule id="100090" level="0">
        <if_sid>530</if_sid>
        <match>delv</match>
        <description>DNSSEC validation check</description>
    </rule>

    <rule id="100091" level="3">
        <if_sid>100080</if_sid>
        <match>fully validated</match>
        <description>DNSSEC validated</description>
    </rule>

    <rule id="100092" level="12" ignore="3600">
        <if_sid>100080</if_sid>
        <match>resolution failed</match>
        <description>DNSSEC resolution failed</description>
    </rule>
</group>

Now, a word of warning — if delv returns nonsense responses for domains that you know have DNSSEC, you're most likely behind a resolver that strips the signature data, such as systemd-resolved. In this case just use any other recursive nameserver which preserves DNSSEC data.

Fully automated RESTful API is now available. Subscribe for your free trial today!