Signed root zone exposed a bug in our termination condition

[mirror/dsa-nagios.git] / dsa-nagios-checks / checks / dsa-check-dnssec-delegation

diff --git a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
index b522049..82ffcd5 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
+++ b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
@@ -31,12 +31,14 @@ $SIG{'__DIE__'} = sub { print @_; exit 4; };
 
 my $RES = Net::DNS::Resolver->new;
 my $DLV = 'dlv.isc.org';
+my $params;
 
 sub get_tag_generic {
        my $zone = shift;
        my $type = shift;
 
        my @result;
+       print "Querying $type $zone\n" if $params->{'verbose'};
        my $pkt = $RES->send($zone, $type);
        return () unless $pkt;
        return () unless $pkt->answer;
@@ -67,6 +69,55 @@ sub get_dlvtags {
        $zone .= ".".$DLV;
        return get_tag_generic($zone, 'DLV');
 };
+sub has_dnskey_parent {
+       my $zone = shift;
+
+       my $potential_parent;
+       if ($zone =~ m/\./) {
+               $potential_parent = $zone;
+               $potential_parent =~ s/^[^.]+\.//;
+       } else {
+               $potential_parent = '.';
+       }
+
+       print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
+       my $pkt = $RES->send($potential_parent, 'DNSKEY');
+       return undef unless $pkt;
+       return undef unless $pkt->header;
+
+       unless ($pkt->answer) {
+               return undef unless $pkt->authority;
+               for my $rr ($pkt->authority) {
+                       next unless ($rr->type eq 'SOA');
+
+                       $potential_parent = $rr->name;
+                       print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
+                       $pkt = $RES->send($potential_parent, 'DNSKEY');
+                       return undef unless $pkt;
+                       last;
+               };
+       };
+
+       return (0, $potential_parent) unless $pkt->answer;
+       for my $rr ($pkt->answer) {
+               next unless ($rr->type eq 'DNSKEY');
+               return (1, $potential_parent);
+       };
+}
+sub get_parent_dnssec_status {
+       my $zone = shift;
+       my @result;
+
+       while (1) {
+               my ($status, $parent) = has_dnskey_parent($zone);
+               last unless defined $status;
+               push @result, ($status ? "yes" : "no") . ("($parent)");
+               $zone = $parent;
+               last if $zone eq "" || $zone eq '.';
+       };
+
+       return join(', ', @result);
+};
 
 sub usage {
        my $fd = shift;
@@ -98,12 +149,12 @@ sub what_to_check {
        return @keys;
 }
 
-my $params;
 Getopt::Long::config('bundling');
 GetOptions (
        '--help' => \$params->{'help'},
        '--dir=s' => \$params->{'dir'},
        '--dlv=s' => \$params->{'dlv'},
+       '--verbose' => \$params->{'verbose'},
 ) or usage(\*STDERR, 1);
 usage(\*STDOUT, 0) if ($params->{'help'});
 
@@ -139,18 +190,20 @@ my %data;
 for my $zone (@zones) {
        $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
                         'ds'     => join(', ', get_dstags($zone)),
-                        'dlv'    => join(', ', get_dlvtags($zone)) };
+                        'dlv'    => join(', ', get_dlvtags($zone)),
+                        'parent_dnssec' => get_parent_dnssec_status($zone) };
 }
 
 if ($mode eq 'overview') {
-       my $format = "%60s %-10s %-10s %-10s\n";
-       printf $format, "zone", "DNSKEY", "DS\@parent", "DLV";
-       printf $format, "-"x 60,  "-"x 10,  "-"x 10,  "-"x 10;
+       my $format = "%60s %-10s %-10s %-10s %-10s\n";
+       printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
+       printf $format, "-"x 60,  "-"x 10,  "-"x 10,  "-"x 10, "-"x 10;
        for my $zone (sort {$a cmp $b} keys %data) {
                printf $format, $zone,
                        $data{$zone}->{'dnskey'},
                        $data{$zone}->{'ds'},
-                       $data{$zone}->{'dlv'};
+                       $data{$zone}->{'dlv'},
+                       $data{$zone}->{'parent_dnssec'};
        }
        exit(0);
 } elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {