dsa-check-dnssec-delegation: Ignore revoked DNSKEYs in zone.

[mirror/dsa-nagios.git] / dsa-nagios-checks / checks / dsa-check-dnssec-delegation

diff --git a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
index 676dce1..e614bf2 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
+++ b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 
-# Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>
+# Copyright (c) 2010, 2014, 2015 Peter Palfrader <peter@palfrader.org>
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -70,6 +70,12 @@ sub get_tag_generic {
                next unless (lc($rr->name) eq lc($zone));
 
                my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag;
+
+               if ($type eq 'DNSKEY' && ($rr->{'flags'} & (1<<(15-8)))) {
+                       # key is revoked
+                       next;
+               }
+
                # for now only handle KSKs, i.e. keys with the SEP flag set
                if ($type eq 'DNSKEY' && !($rr->is_sep)) {
                        push @zsks, $tag;