@oneuptime/common 10.4.12 → 10.4.13

package/Server/Utils/Monitor/Criteria/DnssecMonitorCriteria.ts

@@ -0,0 +1,108 @@
+import DataToProcess from "../DataToProcess";
+import CompareCriteria from "./CompareCriteria";
+import {
+  CheckOn,
+  CriteriaFilter,
+  FilterType,
+} from "../../../../Types/Monitor/CriteriaFilter";
+import DnssecMonitorResponse from "../../../../Types/Monitor/DnssecMonitor/DnssecMonitorResponse";
+import ProbeMonitorResponse from "../../../../Types/Probe/ProbeMonitorResponse";
+import CaptureSpan from "../../Telemetry/CaptureSpan";
+
+export default class DnssecMonitorCriteria {
+  @CaptureSpan()
+  public static async isMonitorInstanceCriteriaFilterMet(input: {
+    dataToProcess: DataToProcess;
+    criteriaFilter: CriteriaFilter;
+  }): Promise<string | null> {
+    const dataToProcess: ProbeMonitorResponse =
+      input.dataToProcess as ProbeMonitorResponse;
+
+    const dnssecResponse: DnssecMonitorResponse | undefined =
+      dataToProcess.dnssecResponse;
+
+    if (!dnssecResponse) {
+      return null;
+    }
+
+    const isTrue: boolean = input.criteriaFilter.filterType === FilterType.True;
+    const isFalse: boolean =
+      input.criteriaFilter.filterType === FilterType.False;
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecChainValid) {
+      if (dnssecResponse.isChainValid && isTrue) {
+        return `DNSSEC chain is valid for ${dnssecResponse.domainName}.`;
+      }
+      if (!dnssecResponse.isChainValid && isFalse) {
+        return `DNSSEC chain validation failed for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecDnskeyExists) {
+      const exists: boolean = dnssecResponse.dnskeys.length > 0;
+      if (exists && isTrue) {
+        return `DNSKEY records present for ${dnssecResponse.domainName}.`;
+      }
+      if (!exists && isFalse) {
+        return `No DNSKEY records found for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecDsExists) {
+      const exists: boolean = dnssecResponse.isParentDsPresent;
+      if (exists && isTrue) {
+        return `DS records present at parent zone for ${dnssecResponse.domainName}.`;
+      }
+      if (!exists && isFalse) {
+        return `No DS records found at the parent zone for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecResolverConsensus) {
+      const consensus: boolean = dnssecResponse.resolverConsensusAd;
+      if (consensus && isTrue) {
+        return `All resolvers report DNSSEC-valid (AD flag) for ${dnssecResponse.domainName}.`;
+      }
+      if (!consensus && isFalse) {
+        return `Resolvers do not agree on DNSSEC validity for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecNameserverConsistent) {
+      const consistent: boolean = dnssecResponse.isNameserverConsistent;
+      if (consistent && isTrue) {
+        return `Authoritative nameservers are consistent for ${dnssecResponse.domainName}.`;
+      }
+      if (!consistent && isFalse) {
+        return `Authoritative nameservers are inconsistent for ${dnssecResponse.domainName}.`;
+      }
+      return null;
+    }
+
+    if (input.criteriaFilter.checkOn === CheckOn.DnssecSignatureExpiresInDays) {
+      const threshold: number | null = CompareCriteria.convertToNumber(
+        input.criteriaFilter.value,
+      );
+
+      if (threshold === null || threshold === undefined) {
+        return null;
+      }
+
+      if (dnssecResponse.daysUntilSignatureExpiry === undefined) {
+        return null;
+      }
+
+      return CompareCriteria.compareCriteriaNumbers({
+        value: dnssecResponse.daysUntilSignatureExpiry,
+        threshold: threshold,
+        criteriaFilter: input.criteriaFilter,
+      });
+    }
+
+    return null;
+  }
+}

package/Server/Utils/Monitor/MonitorCriteriaEvaluator.ts

@@ -18,6 +18,7 @@ import ProfileMonitorCriteria from "./Criteria/ProfileMonitorCriteria";
 import SnmpMonitorCriteria from "./Criteria/SnmpMonitorCriteria";
 import DnsMonitorCriteria from "./Criteria/DnsMonitorCriteria";
 import DomainMonitorCriteria from "./Criteria/DomainMonitorCriteria";
+import DnssecMonitorCriteria from "./Criteria/DnssecMonitorCriteria";
 import ExternalStatusPageMonitorCriteria from "./Criteria/ExternalStatusPageMonitorCriteria";
 import MonitorCriteriaMessageBuilder from "./MonitorCriteriaMessageBuilder";
 import MonitorCriteriaDataExtractor from "./MonitorCriteriaDataExtractor";
@@ -761,6 +762,18 @@ ${contextBlock}
       }
     }
 
+    if (input.monitor.monitorType === MonitorType.DNSSEC) {
+      const dnssecMonitorResult: string | null =
+        await DnssecMonitorCriteria.isMonitorInstanceCriteriaFilterMet({
+          dataToProcess: input.dataToProcess,
+          criteriaFilter: input.criteriaFilter,
+        });
+
+      if (dnssecMonitorResult) {
+        return dnssecMonitorResult;
+      }
+    }
+
     if (input.monitor.monitorType === MonitorType.ExternalStatusPage) {
       const externalStatusPageResult: string | null =
         await ExternalStatusPageMonitorCriteria.isMonitorInstanceCriteriaFilterMet(

package/Server/Utils/Monitor/MonitorTemplateUtil.ts

@@ -19,6 +19,7 @@ import DnsMonitorResponse, {
   DnsRecordResponse,
 } from "../../../Types/Monitor/DnsMonitor/DnsMonitorResponse";
 import DomainMonitorResponse from "../../../Types/Monitor/DomainMonitor/DomainMonitorResponse";
+import DnssecMonitorResponse from "../../../Types/Monitor/DnssecMonitor/DnssecMonitorResponse";
 import ExternalStatusPageMonitorResponse, {
   ExternalStatusPageComponentStatus,
 } from "../../../Types/Monitor/ExternalStatusPageMonitor/ExternalStatusPageMonitorResponse";
@@ -332,6 +333,30 @@ export default class MonitorTemplateUtil {
         } as JSONObject;
       }
 
+      if (data.monitorType === MonitorType.DNSSEC) {
+        const dnssecResponse: DnssecMonitorResponse | undefined = (
+          data.dataToProcess as ProbeMonitorResponse
+        ).dnssecResponse;
+
+        storageMap = {
+          isOnline: (data.dataToProcess as ProbeMonitorResponse).isOnline,
+          responseTimeInMs: dnssecResponse?.responseTimeInMs,
+          failureCause: dnssecResponse?.failureCause,
+          domainName: dnssecResponse?.domainName,
+          isZoneSigned: dnssecResponse?.isZoneSigned,
+          isParentDsPresent: dnssecResponse?.isParentDsPresent,
+          isChainValid: dnssecResponse?.isChainValid,
+          resolverConsensusAd: dnssecResponse?.resolverConsensusAd,
+          isNameserverConsistent: dnssecResponse?.isNameserverConsistent,
+          earliestSignatureExpiration:
+            dnssecResponse?.earliestSignatureExpiration,
+          daysUntilSignatureExpiry: dnssecResponse?.daysUntilSignatureExpiry,
+          dnskeyCount: dnssecResponse?.dnskeys?.length,
+          dsRecordCount: dnssecResponse?.parentDsRecords?.length,
+          rrsigCount: dnssecResponse?.rrsigs?.length,
+        } as JSONObject;
+      }
+
       if (
         data.monitorType === MonitorType.Metrics ||
         data.monitorType === MonitorType.Kubernetes ||

package/Types/Monitor/CriteriaFilter.ts

@@ -84,6 +84,14 @@ export enum CheckOn {
   DomainStatusCode = "Domain Status Code",
   DomainIsExpired = "Domain Is Expired",
 
+  // DNSSEC monitors.
+  DnssecChainValid = "DNSSEC Chain Is Valid",
+  DnssecDnskeyExists = "DNSSEC DNSKEY Record Exists",
+  DnssecDsExists = "DNSSEC DS Record Exists At Parent",
+  DnssecSignatureExpiresInDays = "DNSSEC Signature Expires In Days",
+  DnssecResolverConsensus = "DNSSEC Resolver Consensus (AD Flag)",
+  DnssecNameserverConsistent = "DNSSEC Nameservers Are Consistent",
+
   // External Status Page monitors.
   ExternalStatusPageIsOnline = "External Status Page Is Online",
   ExternalStatusPageOverallStatus = "External Status Page Overall Status",
@@ -279,6 +287,11 @@ export class CriteriaFilterUtil {
       checkOn === CheckOn.SnmpIsOnline ||
       checkOn === CheckOn.DnsIsOnline ||
       checkOn === CheckOn.DomainIsExpired ||
+      checkOn === CheckOn.DnssecChainValid ||
+      checkOn === CheckOn.DnssecDnskeyExists ||
+      checkOn === CheckOn.DnssecDsExists ||
+      checkOn === CheckOn.DnssecResolverConsensus ||
+      checkOn === CheckOn.DnssecNameserverConsistent ||
       checkOn === CheckOn.ExternalStatusPageIsOnline
     ) {
       return false;

package/Types/Monitor/DnssecMonitor/DnssecMonitorResponse.ts

@@ -0,0 +1,69 @@
+export interface DnssecKeyRecord {
+  flags: number;
+  algorithm: number;
+  keyTag?: number | undefined;
+}
+
+export interface DnssecDsRecord {
+  keyTag: number;
+  algorithm: number;
+  digestType: number;
+  digest: string;
+}
+
+export interface DnssecRrsigRecord {
+  typeCovered: string;
+  algorithm: number;
+  signerName: string;
+  keyTag: number;
+  inception?: string | undefined;
+  expiration?: string | undefined;
+}
+
+export interface DnssecResolverCheck {
+  resolver: string;
+  adFlag: boolean;
+  servfailWhenValidating: boolean;
+  error?: string | undefined;
+}
+
+export interface DnssecNameserverCheck {
+  nameServer: string;
+  soaSerial?: string | undefined;
+  rrsigExpiration?: string | undefined;
+  error?: string | undefined;
+}
+
+export default interface DnssecMonitorResponse {
+  isOnline: boolean;
+  responseTimeInMs: number;
+  failureCause: string;
+  domainName: string;
+  isTimeout?: boolean | undefined;
+
+  // Zone signed?
+  isZoneSigned: boolean;
+
+  // DNSKEY presence
+  dnskeys: Array<DnssecKeyRecord>;
+
+  // DS at parent
+  parentDsRecords: Array<DnssecDsRecord>;
+  isParentDsPresent: boolean;
+
+  // RRSIG over the A record (zone apex by default)
+  rrsigs: Array<DnssecRrsigRecord>;
+  earliestSignatureExpiration?: string | undefined;
+  daysUntilSignatureExpiry?: number | undefined;
+
+  // Resolver consensus (AD flag + CD-bit SERVFAIL test)
+  resolverChecks: Array<DnssecResolverCheck>;
+  resolverConsensusAd: boolean;
+
+  // Primary/secondary nameserver consistency
+  nameserverChecks: Array<DnssecNameserverCheck>;
+  isNameserverConsistent: boolean;
+
+  // Overall chain validity (DNSKEY exists, DS exists, RRSIG valid, AD across resolvers)
+  isChainValid: boolean;
+}

package/Types/Monitor/MonitorCriteriaInstance.ts

@@ -487,6 +487,33 @@ export default class MonitorCriteriaInstance extends DatabaseProperty {
       return monitorCriteriaInstance;
     }
 
+    if (arg.monitorType === MonitorType.DNSSEC) {
+      const monitorCriteriaInstance: MonitorCriteriaInstance =
+        new MonitorCriteriaInstance();
+
+      monitorCriteriaInstance.data = {
+        id: ObjectID.generate().toString(),
+        monitorStatusId: arg.monitorStatusId,
+        filterCondition: FilterCondition.All,
+        filters: [
+          {
+            checkOn: CheckOn.DnssecChainValid,
+            filterType: FilterType.True,
+            value: undefined,
+          },
+        ],
+        incidents: [],
+        alerts: [],
+        createAlerts: false,
+        changeMonitorStatus: true,
+        createIncidents: false,
+        name: `Check if ${arg.monitorName} DNSSEC chain is valid`,
+        description: `This criteria checks if the ${arg.monitorName} DNSSEC chain is valid end-to-end`,
+      };
+
+      return monitorCriteriaInstance;
+    }
+
     if (arg.monitorType === MonitorType.ExternalStatusPage) {
       const monitorCriteriaInstance: MonitorCriteriaInstance =
         new MonitorCriteriaInstance();
@@ -695,6 +722,46 @@ export default class MonitorCriteriaInstance extends DatabaseProperty {
       };
     }
 
+    if (arg.monitorType === MonitorType.DNSSEC) {
+      monitorCriteriaInstance.data = {
+        id: ObjectID.generate().toString(),
+        monitorStatusId: arg.monitorStatusId,
+        filterCondition: FilterCondition.Any,
+        filters: [
+          {
+            checkOn: CheckOn.DnssecChainValid,
+            filterType: FilterType.False,
+            value: undefined,
+          },
+        ],
+        incidents: [
+          {
+            title: `${arg.monitorName} DNSSEC chain is broken`,
+            description: `${arg.monitorName} DNSSEC validation is currently failing.`,
+            incidentSeverityId: arg.incidentSeverityId,
+            autoResolveIncident: true,
+            id: ObjectID.generate().toString(),
+            onCallPolicyIds: [],
+          },
+        ],
+        changeMonitorStatus: true,
+        createIncidents: true,
+        createAlerts: false,
+        alerts: [
+          {
+            title: `${arg.monitorName} DNSSEC chain is broken`,
+            description: `${arg.monitorName} DNSSEC validation is currently failing.`,
+            alertSeverityId: arg.alertSeverityId,
+            autoResolveAlert: true,
+            id: ObjectID.generate().toString(),
+            onCallPolicyIds: [],
+          },
+        ],
+        name: `Check if ${arg.monitorName} DNSSEC chain is broken`,
+        description: `This criteria checks if the ${arg.monitorName} DNSSEC chain is broken`,
+      };
+    }
+
     if (arg.monitorType === MonitorType.ExternalStatusPage) {
       monitorCriteriaInstance.data = {
         id: ObjectID.generate().toString(),

package/Types/Monitor/MonitorStep.ts

@@ -38,6 +38,9 @@ import MonitorStepDnsMonitor, {
 import MonitorStepDomainMonitor, {
   MonitorStepDomainMonitorUtil,
 } from "./MonitorStepDomainMonitor";
+import MonitorStepDnssecMonitor, {
+  MonitorStepDnssecMonitorUtil,
+} from "./MonitorStepDnssecMonitor";
 import MonitorStepExternalStatusPageMonitor, {
   MonitorStepExternalStatusPageMonitorUtil,
 } from "./MonitorStepExternalStatusPageMonitor";
@@ -109,6 +112,9 @@ export interface MonitorStepType {
   // Domain monitor
   domainMonitor?: MonitorStepDomainMonitor | undefined;
 
+  // DNSSEC monitor
+  dnssecMonitor?: MonitorStepDnssecMonitor | undefined;
+
   // External Status Page monitor
   externalStatusPageMonitor?: MonitorStepExternalStatusPageMonitor | undefined;
 
@@ -150,6 +156,7 @@ export default class MonitorStep extends DatabaseProperty {
       snmpMonitor: undefined,
       dnsMonitor: undefined,
       domainMonitor: undefined,
+      dnssecMonitor: undefined,
       externalStatusPageMonitor: undefined,
       kubernetesMonitor: undefined,
       dockerMonitor: undefined,
@@ -191,6 +198,7 @@ export default class MonitorStep extends DatabaseProperty {
       snmpMonitor: undefined,
       dnsMonitor: undefined,
       domainMonitor: undefined,
+      dnssecMonitor: undefined,
       externalStatusPageMonitor: undefined,
       kubernetesMonitor: undefined,
       dockerMonitor: undefined,
@@ -334,6 +342,13 @@ export default class MonitorStep extends DatabaseProperty {
     return this;
   }
 
+  public setDnssecMonitor(
+    dnssecMonitor: MonitorStepDnssecMonitor,
+  ): MonitorStep {
+    this.data!.dnssecMonitor = dnssecMonitor;
+    return this;
+  }
+
   public setExternalStatusPageMonitor(
     externalStatusPageMonitor: MonitorStepExternalStatusPageMonitor,
   ): MonitorStep {
@@ -508,6 +523,23 @@ export default class MonitorStep extends DatabaseProperty {
       }
     }
 
+    if (monitorType === MonitorType.DNSSEC) {
+      if (!value.data.dnssecMonitor) {
+        return "DNSSEC configuration is required";
+      }
+
+      if (!value.data.dnssecMonitor.domainName) {
+        return "Domain name is required";
+      }
+
+      if (
+        !value.data.dnssecMonitor.resolvers ||
+        value.data.dnssecMonitor.resolvers.length === 0
+      ) {
+        return "At least one resolver is required";
+      }
+    }
+
     if (monitorType === MonitorType.ExternalStatusPage) {
       if (!value.data.externalStatusPageMonitor) {
         return "External status page configuration is required";
@@ -600,6 +632,9 @@ export default class MonitorStep extends DatabaseProperty {
           domainMonitor: this.data.domainMonitor
             ? MonitorStepDomainMonitorUtil.toJSON(this.data.domainMonitor)
             : undefined,
+          dnssecMonitor: this.data.dnssecMonitor
+            ? MonitorStepDnssecMonitorUtil.toJSON(this.data.dnssecMonitor)
+            : undefined,
           externalStatusPageMonitor: this.data.externalStatusPageMonitor
             ? MonitorStepExternalStatusPageMonitorUtil.toJSON(
                 this.data.externalStatusPageMonitor,
@@ -734,6 +769,9 @@ export default class MonitorStep extends DatabaseProperty {
       domainMonitor: json["domainMonitor"]
         ? (json["domainMonitor"] as JSONObject)
         : undefined,
+      dnssecMonitor: json["dnssecMonitor"]
+        ? (json["dnssecMonitor"] as JSONObject)
+        : undefined,
       externalStatusPageMonitor: json["externalStatusPageMonitor"]
         ? (json["externalStatusPageMonitor"] as JSONObject)
         : undefined,
@@ -775,6 +813,7 @@ export default class MonitorStep extends DatabaseProperty {
         snmpMonitor: Zod.any().optional(),
         dnsMonitor: Zod.any().optional(),
         domainMonitor: Zod.any().optional(),
+        dnssecMonitor: Zod.any().optional(),
         externalStatusPageMonitor: Zod.any().optional(),
         kubernetesMonitor: Zod.any().optional(),
         dockerMonitor: Zod.any().optional(),

package/Types/Monitor/MonitorStepDnssecMonitor.ts

@@ -0,0 +1,59 @@
+import { JSONObject } from "../JSON";
+
+export default interface MonitorStepDnssecMonitor {
+  domainName: string;
+  resolvers: Array<string>;
+  checkNameserverConsistency: boolean;
+  signatureExpiryWarningDays: number;
+  timeout: number;
+  retries: number;
+}
+
+export class MonitorStepDnssecMonitorUtil {
+  public static getDefault(): MonitorStepDnssecMonitor {
+    return {
+      domainName: "",
+      resolvers: ["1.1.1.1", "8.8.8.8", "9.9.9.9"],
+      checkNameserverConsistency: true,
+      signatureExpiryWarningDays: 7,
+      timeout: 10000,
+      retries: 3,
+    };
+  }
+
+  public static fromJSON(json: JSONObject): MonitorStepDnssecMonitor {
+    const defaults: MonitorStepDnssecMonitor =
+      MonitorStepDnssecMonitorUtil.getDefault();
+
+    const resolvers: Array<string> = Array.isArray(json["resolvers"])
+      ? (json["resolvers"] as Array<string>).filter((value: unknown) => {
+          return typeof value === "string" && value.length > 0;
+        })
+      : defaults.resolvers;
+
+    return {
+      domainName: (json["domainName"] as string) || "",
+      resolvers: resolvers.length > 0 ? resolvers : defaults.resolvers,
+      checkNameserverConsistency:
+        typeof json["checkNameserverConsistency"] === "boolean"
+          ? (json["checkNameserverConsistency"] as boolean)
+          : defaults.checkNameserverConsistency,
+      signatureExpiryWarningDays:
+        (json["signatureExpiryWarningDays"] as number) ||
+        defaults.signatureExpiryWarningDays,
+      timeout: (json["timeout"] as number) || defaults.timeout,
+      retries: (json["retries"] as number) || defaults.retries,
+    };
+  }
+
+  public static toJSON(monitor: MonitorStepDnssecMonitor): JSONObject {
+    return {
+      domainName: monitor.domainName,
+      resolvers: monitor.resolvers,
+      checkNameserverConsistency: monitor.checkNameserverConsistency,
+      signatureExpiryWarningDays: monitor.signatureExpiryWarningDays,
+      timeout: monitor.timeout,
+      retries: monitor.retries,
+    };
+  }
+}

package/Types/Monitor/MonitorType.ts

@@ -32,6 +32,9 @@ enum MonitorType {
   // DNS monitoring
   DNS = "DNS",
 
+  // DNSSEC validation monitoring
+  DNSSEC = "DNSSEC",
+
   // Domain registration monitoring
   Domain = "Domain",
 
@@ -64,12 +67,15 @@ export class MonitorTypeHelper {
           MonitorType.Ping,
           MonitorType.IP,
           MonitorType.Port,
-          MonitorType.DNS,
           MonitorType.SSLCertificate,
           MonitorType.Domain,
           MonitorType.ExternalStatusPage,
         ],
       },
+      {
+        label: "DNS Monitoring",
+        monitorTypes: [MonitorType.DNS, MonitorType.DNSSEC],
+      },
       {
         label: "Synthetic Monitoring",
         monitorTypes: [
@@ -273,6 +279,13 @@ export class MonitorTypeHelper {
           "This monitor type lets you monitor DNS resolution for your domains, verify record values, and check DNSSEC validity.",
         icon: IconProp.GlobeAlt,
       },
+      {
+        monitorType: MonitorType.DNSSEC,
+        title: "DNSSEC",
+        description:
+          "This monitor type performs full DNSSEC validation — DNSKEY, DS at the parent zone, RRSIG validity windows, AD-flag/SERVFAIL behavior across public resolvers, and primary/secondary nameserver consistency.",
+        icon: IconProp.Key,
+      },
       {
         monitorType: MonitorType.Domain,
         title: "Domain",
@@ -334,6 +347,7 @@ export class MonitorTypeHelper {
       monitorType === MonitorType.CustomJavaScriptCode ||
       monitorType === MonitorType.SNMP ||
       monitorType === MonitorType.DNS ||
+      monitorType === MonitorType.DNSSEC ||
       monitorType === MonitorType.Domain ||
       monitorType === MonitorType.ExternalStatusPage;
     return isProbeableMonitor;
@@ -359,6 +373,7 @@ export class MonitorTypeHelper {
       MonitorType.Profiles,
       MonitorType.SNMP,
       MonitorType.DNS,
+      MonitorType.DNSSEC,
       MonitorType.Domain,
       MonitorType.ExternalStatusPage,
       MonitorType.Kubernetes,
@@ -397,6 +412,7 @@ export class MonitorTypeHelper {
       monitorType === MonitorType.CustomJavaScriptCode ||
       monitorType === MonitorType.SNMP ||
       monitorType === MonitorType.DNS ||
+      monitorType === MonitorType.DNSSEC ||
       monitorType === MonitorType.Domain ||
       monitorType === MonitorType.ExternalStatusPage
     ) {

package/Types/Probe/ProbeMonitorResponse.ts

@@ -9,6 +9,7 @@ import SyntheticMonitorResponse from "../Monitor/SyntheticMonitors/SyntheticMoni
 import SnmpMonitorResponse from "../Monitor/SnmpMonitor/SnmpMonitorResponse";
 import DnsMonitorResponse from "../Monitor/DnsMonitor/DnsMonitorResponse";
 import DomainMonitorResponse from "../Monitor/DomainMonitor/DomainMonitorResponse";
+import DnssecMonitorResponse from "../Monitor/DnssecMonitor/DnssecMonitorResponse";
 import ExternalStatusPageMonitorResponse from "../Monitor/ExternalStatusPageMonitor/ExternalStatusPageMonitorResponse";
 import MonitorEvaluationSummary from "../Monitor/MonitorEvaluationSummary";
 import ObjectID from "../ObjectID";
@@ -35,6 +36,7 @@ export default interface ProbeMonitorResponse {
   snmpResponse?: SnmpMonitorResponse | undefined;
   dnsResponse?: DnsMonitorResponse | undefined;
   domainResponse?: DomainMonitorResponse | undefined;
+  dnssecResponse?: DnssecMonitorResponse | undefined;
   externalStatusPageResponse?: ExternalStatusPageMonitorResponse | undefined;
   monitoredAt: Date;
   isTimeout?: boolean | undefined;

package/UI/Components/MonitorTemplateVariables/TemplateVariablesCatalog.ts

@@ -405,6 +405,57 @@ export default class TemplateVariablesCatalog {
           ],
         };
 
+      case MonitorType.DNSSEC:
+        return {
+          title: "DNSSEC",
+          variables: [
+            {
+              key: "isOnline",
+              description: "True if the DNSSEC check completed.",
+            },
+            { key: "domainName", description: "Zone queried." },
+            {
+              key: "isZoneSigned",
+              description: "True if any DNSKEY records exist for the zone.",
+            },
+            {
+              key: "isParentDsPresent",
+              description: "True if DS records exist at the parent zone.",
+            },
+            {
+              key: "isChainValid",
+              description:
+                "True if DNSKEY, DS, RRSIG, and resolver AD-flag all check out.",
+            },
+            {
+              key: "resolverConsensusAd",
+              description:
+                "True if every configured resolver returned the AD flag.",
+            },
+            {
+              key: "isNameserverConsistent",
+              description:
+                "True if every authoritative nameserver returned the same SOA serial.",
+            },
+            {
+              key: "earliestSignatureExpiration",
+              description: "Earliest RRSIG expiration timestamp (ISO).",
+            },
+            {
+              key: "daysUntilSignatureExpiry",
+              description: "Days until the earliest RRSIG expires.",
+            },
+            { key: "dnskeyCount", description: "Number of DNSKEY records." },
+            {
+              key: "dsRecordCount",
+              description: "Number of DS records at the parent.",
+            },
+            { key: "rrsigCount", description: "Number of RRSIG records seen." },
+            { key: "responseTimeInMs", description: "Total check duration." },
+            { key: "failureCause", description: "Failure reason." },
+          ],
+        };
+
       case MonitorType.ExternalStatusPage:
         return {
           title: "External Status Page",

package/Utils/Monitor/MonitorMetricType.ts

@@ -171,6 +171,7 @@ class MonitorMetricTypeUtil {
       monitorType === MonitorType.Port ||
       monitorType === MonitorType.SNMP ||
       monitorType === MonitorType.DNS ||
+      monitorType === MonitorType.DNSSEC ||
       monitorType === MonitorType.Domain ||
       monitorType === MonitorType.ExternalStatusPage
     ) {