use English;
use Net::DNS::Resolver;
use Getopt::Long;
+use File::Basename;
$SIG{'__DIE__'} = sub { print @_; exit 4; };
my $RES = Net::DNS::Resolver->new;
my $DLV = 'dlv.isc.org';
+my $params;
sub get_tag_generic {
my $zone = shift;
my $type = shift;
my @result;
+ print "Querying $type $zone\n" if $params->{'verbose'};
my $pkt = $RES->send($zone, $type);
return () unless $pkt;
return () unless $pkt->answer;
sub has_dnskey_parent {
my $zone = shift;
- my $potential_parent = $zone;
- $potential_parent =~ s/^[^.]*\.//;
+ my $potential_parent;
+ if ($zone =~ m/\./) {
+ $potential_parent = $zone;
+ $potential_parent =~ s/^[^.]+\.//;
+ } else {
+ $potential_parent = '.';
+ }
+ print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
my $pkt = $RES->send($potential_parent, 'DNSKEY');
return undef unless $pkt;
return undef unless $pkt->header;
- # try to find the zone start
unless ($pkt->answer) {
- #print "Looking for zone apex\n";
return undef unless $pkt->authority;
for my $rr ($pkt->authority) {
next unless ($rr->type eq 'SOA');
$potential_parent = $rr->name;
- #print "Found it at $potential_parent\n";
+ print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
$pkt = $RES->send($potential_parent, 'DNSKEY');
return undef unless $pkt;
last;
};
};
- return 0 unless $pkt->answer;
+ return (0, $potential_parent) unless $pkt->answer;
for my $rr ($pkt->answer) {
next unless ($rr->type eq 'DNSKEY');
- return 1;
+ return (1, $potential_parent);
};
}
+sub get_parent_dnssec_status {
+ my $zone = shift;
+ my @result;
+
+ while (1) {
+ my ($status, $parent) = has_dnskey_parent($zone);
+ last unless defined $status;
+ push @result, ($status ? "yes" : "no") . ("($parent)");
+ $zone = $parent;
+ last if $zone eq "" || $zone eq '.';
+ };
+
+ return join(', ', @result);
+};
sub usage {
my $fd = shift;
sub what_to_check {
my $zone = shift;
- my $indir = shift;
+ my $zonefile = shift;
my $do_dlv = 0;
my $do_ds = 0;
- open(F, "<", $indir."/".$zone) or die ("Cannot open zonefile for $zone: $!\n");
+ open(F, "<", $zonefile) or die ("Cannot open zonefile $zonefile for $zone: $!\n");
while (<F>) {
- if (/^;\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; }
- if (/^;\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; }
+ if (/^[#;]\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; }
+ if (/^[#;]\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; }
}
close(F);
return @keys;
}
-my $params;
Getopt::Long::config('bundling');
GetOptions (
'--help' => \$params->{'help'},
- '--dir=s' => \$params->{'dir'},
+ '--dir=s@' => \$params->{'dir'},
'--dlv=s' => \$params->{'dlv'},
+ '--verbose' => \$params->{'verbose'},
) or usage(\*STDERR, 1);
usage(\*STDOUT, 0) if ($params->{'help'});
usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/);
die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'});
-my @zones;
+my %zones;
if (scalar @ARGV) {
if (defined $params->{'dir'} && $mode ne 'check-header') {
warn "--dir option ignored"
}
- @zones = @ARGV;
+ %zones = map { $_ => $_} @ARGV;
} else {
- my $dir = $params->{'dir'};
- usage(\*STDOUT, 0) unless (defined $dir);
-
- chdir $dir or die "chdir $dir failed? $!\n";
- opendir DIR, '.' or die ("Cannot opendir $dir\n");
- for my $file (readdir DIR) {
- next if ( -l "$file" );
- next unless ( -f "$file" );
- next if $file =~ /^(dsset|keyset)-/;
-
- push @zones, $file;
- }
- closedir(DIR);
+ my $dirs = $params->{'dir'};
+ usage(\*STDOUT, 0) unless (defined $dirs);
+
+ for my $dir (@$dirs) {
+ chdir $dir or die "chdir $dir failed? $!\n";
+ opendir DIR, '.' or die ("Cannot opendir $dir\n");
+ for my $file (readdir DIR) {
+ next if ( -l "$file" );
+ next unless ( -f "$file" );
+ next if $file =~ /^(dsset|keyset)-/;
+
+ my $zone = $file;
+ if ($file =~ /\.zone$/) { # it's one of our yaml things
+ $zone = basename($file, '.zone');
+ };
+ $zones{$zone} = "$dir/$file";
+ }
+ closedir(DIR);
+ };
};
$DLV = $params->{'dlv'} if $params->{'dlv'};
-my %data;
-for my $zone (@zones) {
- $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
- 'ds' => join(', ', get_dstags($zone)),
- 'dlv' => join(', ', get_dlvtags($zone)),
- 'parent_dnssec' => has_dnskey_parent($zone) };
-}
if ($mode eq 'overview') {
+ my %data;
+ for my $zone (keys %zones) {
+ $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
+ 'ds' => join(', ', get_dstags($zone)),
+ 'dlv' => join(', ', get_dlvtags($zone)),
+ 'parent_dnssec' => get_parent_dnssec_status($zone) };
+ }
+
my $format = "%60s %-10s %-10s %-10s %-10s\n";
printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
printf $format, "-"x 60, "-"x 10, "-"x 10, "-"x 10, "-"x 10;
$data{$zone}->{'dnskey'},
$data{$zone}->{'ds'},
$data{$zone}->{'dlv'},
- $data{$zone}->{'parent_dnssec'} ? 'yes' : '-';
+ $data{$zone}->{'parent_dnssec'};
}
exit(0);
} elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
my @warn;
my @ok;
- for my $zone (sort {$a cmp $b} keys %data) {
- my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $params->{'dir'}) : ($key);
+ for my $zone (sort {$a cmp $b} keys %zones) {
+ my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $zones{$zone}) : ($key);
+ my $dnskey = join(', ', get_dnskeytags($zone)) || '-';
for my $thiskey (@thiskeys) {
- my $dnskey = $data{$zone}->{'dnskey'} || '-';
- my $target = $data{$zone}->{$thiskey} || '-';
+ my $target = join(', ', $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone)) || '-';
if ($dnskey ne $target) {
- push @warn, "$zone ($dnskey != $target)";
+ push @warn, "$zone ([$dnskey] != [$target])";
} else {
push @ok, "$zone ($dnskey)";
};
projects / mirror / dsa-nagios.git / blobdiff