projects
/
mirror
/
dsa-nagios.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
coccia at ubc
[mirror/dsa-nagios.git]
/
dsa-nagios-checks
/
checks
/
dsa-check-zone-rrsig-expiration
diff --git
a/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration
b/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration
index
8ea5d51
..
1b54970
100755
(executable)
--- a/
dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration
+++ b/
dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration
@@
-43,6
+43,10
@@
# - do more than one zone
# Copyright (c) 2012 Peter Palfrader <peter@palfrader.org>
# - add -s option to configure udp packet size. default changed from 4k to 1k
# - do more than one zone
# Copyright (c) 2012 Peter Palfrader <peter@palfrader.org>
# - add -s option to configure udp packet size. default changed from 4k to 1k
+# Copyright (c) 2013 Peter Palfrader <peter@palfrader.org>
+# - add -r option to override initial refs.
+# Copyright (c) 2014 Peter Palfrader <peter@palfrader.org>
+# - Do not ask for RRSIG directly, instead ask for SOA with dnssec data
# usage
# usage
@@
-92,7
+96,7
@@
sub convert_time {
}
my %opts = (t=>30, s=>1024);
}
my %opts = (t=>30, s=>1024);
-getopts('hdt:c:w:s:', \%opts);
+getopts('hdt:c:w:s:
r:
', \%opts);
usage() unless scalar @ARGV == 1;
usage() if $opts{h};
my $zone = $ARGV[0];
usage() unless scalar @ARGV == 1;
usage() if $opts{h};
my $zone = $ARGV[0];
@@
-121,6
+125,7
@@
k.root-servers.net
l.root-servers.net
m.root-servers.net
);
l.root-servers.net
m.root-servers.net
);
+@refs = split(/\s*,\s*/, $opts{r}) if (defined $opts{r});
$start = [gettimeofday()];
do_recursion();
$start = [gettimeofday()];
do_recursion();
@@
-134,25
+139,28
@@
sub do_recursion {
do {
print STDERR "\nRECURSE\n" if $opts{d};
my $pkt;
do {
print STDERR "\nRECURSE\n" if $opts{d};
my $pkt;
+ my $prettyrefs = (scalar @refs) ? join(", ", @refs) : "empty set(!?)";
foreach my $ns (shuffle @refs) {
foreach my $ns (shuffle @refs) {
- print STDERR "sending query for $zone
RRSIG
to $ns\n" if $opts{d};
+ print STDERR "sending query for $zone
NS
to $ns\n" if $opts{d};
$res->nameserver($ns);
$res->udp_timeout($opts{t});
$res->udppacketsize($opts{s});
$res->nameserver($ns);
$res->udp_timeout($opts{t});
$res->udppacketsize($opts{s});
- $pkt = $res->send($zone, '
RRSIG
');
+ $pkt = $res->send($zone, '
NS
');
last if $pkt;
}
last if $pkt;
}
- critical("No response to seed query") unless $pkt;
+ critical("No response to seed query
for $zone from $prettyrefs.
") unless $pkt;
critical($pkt->header->rcode . " from " . $pkt->answerfrom)
unless ($pkt->header->rcode eq 'NOERROR');
@refs = ();
critical($pkt->header->rcode . " from " . $pkt->answerfrom)
unless ($pkt->header->rcode eq 'NOERROR');
@refs = ();
- foreach my $rr ($pkt->authority) {
+ foreach my $rr ($pkt->authority
, $pkt->answer
) {
print STDERR $rr->string, "\n" if $opts{d};
print STDERR $rr->string, "\n" if $opts{d};
- push (@refs, $rr->nsdname);
+ push (@refs, $rr->nsdname)
if $rr->type eq 'NS'
;
next unless lc($rr->name) eq lc($zone);
add_nslist_to_data($pkt);
next unless lc($rr->name) eq lc($zone);
add_nslist_to_data($pkt);
+ #print STDERR "Adding for $zone: ", $pkt->string, "\n" if $opts{d};
$done = 1;
}
$done = 1;
}
+ critical("No new references after querying for $zone NS from $prettyrefs. Packet was ".$pkt->string) unless (scalar @refs);
} while (! $done);
}
} while (! $done);
}
@@
-163,11
+171,11
@@
sub do_queries {
$n = 0;
foreach my $ns (keys %$data) {
next if $data->{$ns}->{done};
$n = 0;
foreach my $ns (keys %$data) {
next if $data->{$ns}->{done};
- print STDERR "\nQUERY
$ns
\n" if $opts{d};
+ print STDERR "\nQUERY
\@$ns SOA $zone
\n" if $opts{d};
- my $pkt = send_query($zone, '
RRSIG
', $ns);
+ my $pkt = send_query($zone, '
SOA
', $ns);
add_nslist_to_data($pkt);
add_nslist_to_data($pkt);
- $data->{$ns}->{queries}->{
RRSIG
} = $pkt;
+ $data->{$ns}->{queries}->{
SOA
} = $pkt;
print STDERR "done with $ns\n" if $opts{d};
$data->{$ns}->{done} = 1;
print STDERR "done with $ns\n" if $opts{d};
$data->{$ns}->{done} = 1;
@@
-182,7
+190,7
@@
sub do_analyze {
my %MAX_EXP_BY_TYPE;
foreach my $ns (keys %$data) {
print STDERR "\nANALYZE $ns\n" if $opts{d};
my %MAX_EXP_BY_TYPE;
foreach my $ns (keys %$data) {
print STDERR "\nANALYZE $ns\n" if $opts{d};
- my $pkt = $data->{$ns}->{queries}->{
RRSIG
};
+ my $pkt = $data->{$ns}->{queries}->{
SOA
};
critical("No response from $ns") unless $pkt;
print STDERR $pkt->string if $opts{d};
critical($pkt->header->rcode . " from $ns")
critical("No response from $ns") unless $pkt;
print STDERR $pkt->string if $opts{d};
critical($pkt->header->rcode . " from $ns")
@@
-221,7
+229,7
@@
sub do_analyze {
my $ND = sprintf "%3.1f days", ($min_exp-$NOW)/86400;
warning("$min_type RRSIG expires in $ND at $min_ns")
}
my $ND = sprintf "%3.1f days", ($min_exp-$NOW)/86400;
warning("$min_type RRSIG expires in $ND at $min_ns")
}
- success(sprintf("No RRSIGs expiring in the next %3.1f days", $WARN/86400));
+ success(sprintf("No RRSIGs
at zone apex
expiring in the next %3.1f days", $WARN/86400));
}
sub sigrr_exp_epoch {
}
sub sigrr_exp_epoch {
@@
-271,7
+279,7
@@
sub output {
}
sub usage {
}
sub usage {
- print STDERR "usage: $0 [-d] [-w=<warn>] [-c=<crit>] [-t=<timeout>] <zone>\n";
+ print STDERR "usage: $0 [-d] [-w=<warn>] [-c=<crit>] [-t=<timeout>]
[-r=<initialns1>[,<initialns2>[,..]]] [-s=<packet-size>]
<zone>\n";
exit 3;
}
exit 3;
}
@@
-282,6
+290,7
@@
sub send_query {
my $res = Net::DNS::Resolver->new;
$res->nameserver($server) if $server;
$res->udp_timeout($opts{t});
my $res = Net::DNS::Resolver->new;
$res->nameserver($server) if $server;
$res->udp_timeout($opts{t});
+ $res->dnssec(1);
$res->retry(2);
$res->udppacketsize($opts{s});
my $pkt = $res->send($qname, $qtype);
$res->retry(2);
$res->udppacketsize($opts{s});
my $pkt = $res->send($qname, $qtype);
@@
-296,11
+305,11
@@
sub send_query {
sub get_nslist {
my $pkt = shift;
return () unless $pkt;
sub get_nslist {
my $pkt = shift;
return () unless $pkt;
- return ()
unless $pkt->authority
;
+ return ()
if (!$pkt->authority && !$pkt->answer)
;
my @nslist;
my @nslist;
- foreach my $rr ($pkt->authority) {
+ foreach my $rr ($pkt->authority
, $pkt->answer
) {
next unless ($rr->type eq 'NS');
next unless ($rr->type eq 'NS');
- next unless
($rr->name eq
$zone);
+ next unless
lc($rr->name) eq lc(
$zone);
push(@nslist, lc($rr->nsdname));
}
return @nslist;
push(@nslist, lc($rr->nsdname));
}
return @nslist;