X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=dsa-nagios-checks%2Fchecks%2Fdsa-check-dnssec-delegation;h=5e25363735cd96c86eddf8757b8baf0aa24dbe2c;hb=94c1c3cd379c5761c1171b542446ff6a1b98a2e6;hp=e2267c45982e82079af0a6d7b39cb99447277341;hpb=45a6b00a63acf551e9a226524119bb0c053d070c;p=mirror%2Fdsa-nagios.git

diff --git a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
index e2267c4..5e25363 100755
--- a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
+++ b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
@@ -31,12 +31,14 @@ $SIG{'__DIE__'} = sub { print @_; exit 4; };
 
 my $RES = Net::DNS::Resolver->new;
 my $DLV = 'dlv.isc.org';
+my $params;
 
 sub get_tag_generic {
 	my $zone = shift;
 	my $type = shift;
 
 	my @result;
+	print "Querying $type $zone\n" if $params->{'verbose'};
 	my $pkt = $RES->send($zone, $type);
 	return () unless $pkt;
 	return () unless $pkt->answer;
@@ -70,34 +72,52 @@ sub get_dlvtags {
 sub has_dnskey_parent {
 	my $zone = shift;
 
-	my $potential_parent = $zone;
-	$potential_parent =~ s/^[^.]*\.//;
+	my $potential_parent;
+	if ($zone =~ m/\./) {
+		$potential_parent = $zone;
+		$potential_parent =~ s/^[^.]+\.//;
+	} else {
+		$potential_parent = '.';
+	}
 
+	print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
 	my $pkt = $RES->send($potential_parent, 'DNSKEY');
 	return undef unless $pkt;
 	return undef unless $pkt->header;
 
-	# try to find the zone start
 	unless ($pkt->answer) {
-		#print "Looking for zone apex\n";
 		return undef unless $pkt->authority;
 		for my $rr ($pkt->authority) {
 			next unless ($rr->type eq 'SOA');
 
 			$potential_parent = $rr->name;
-			#print "Found it at $potential_parent\n";
+			print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
 			$pkt = $RES->send($potential_parent, 'DNSKEY');
 			return undef unless $pkt;
 			last;
 		};
 	};
 
-	return 0 unless $pkt->answer;
+	return (0, $potential_parent) unless $pkt->answer;
 	for my $rr ($pkt->answer) {
 		next unless ($rr->type eq 'DNSKEY');
-		return 1;
+		return (1, $potential_parent);
 	};
 }
+sub get_parent_dnssec_status {
+	my $zone = shift;
+	my @result;
+
+	while (1) {
+		my ($status, $parent) = has_dnskey_parent($zone);
+		last unless defined $status;
+		push @result, ($status ? "yes" : "no") . ("($parent)");
+		$zone = $parent;
+		last if $zone eq "" || $zone eq '.';
+	};
+
+	return join(', ', @result);
+};
 
 sub usage {
 	my $fd = shift;
@@ -129,12 +149,12 @@ sub what_to_check {
 	return @keys;
 }
 
-my $params;
 Getopt::Long::config('bundling');
 GetOptions (
 	'--help' => \$params->{'help'},
 	'--dir=s' => \$params->{'dir'},
 	'--dlv=s' => \$params->{'dlv'},
+	'--verbose' => \$params->{'verbose'},
 ) or usage(\*STDERR, 1);
 usage(\*STDOUT, 0) if ($params->{'help'});
 
@@ -166,15 +186,16 @@ if (scalar @ARGV) {
 
 $DLV = $params->{'dlv'} if $params->{'dlv'};
 
-my %data;
-for my $zone (@zones) {
-	$data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
-	                 'ds'     => join(', ', get_dstags($zone)),
-	                 'dlv'    => join(', ', get_dlvtags($zone)),
-	                 'parent_dnssec' => has_dnskey_parent($zone) };
-}
 
 if ($mode eq 'overview') {
+	my %data;
+	for my $zone (@zones) {
+		$data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
+				 'ds'     => join(', ', get_dstags($zone)),
+				 'dlv'    => join(', ', get_dlvtags($zone)),
+				 'parent_dnssec' => get_parent_dnssec_status($zone) };
+	}
+
 	my $format = "%60s %-10s %-10s %-10s %-10s\n";
 	printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
 	printf $format, "-"x 60,  "-"x 10,  "-"x 10,  "-"x 10, "-"x 10;
@@ -183,7 +204,7 @@ if ($mode eq 'overview') {
 			$data{$zone}->{'dnskey'},
 			$data{$zone}->{'ds'},
 			$data{$zone}->{'dlv'},
-			$data{$zone}->{'parent_dnssec'} ? 'yes' : '-';
+			$data{$zone}->{'parent_dnssec'};
 	}
 	exit(0);
 } elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
@@ -195,15 +216,15 @@ if ($mode eq 'overview') {
 
 	my @warn;
 	my @ok;
-	for my $zone (sort {$a cmp $b} keys %data) {
+	for my $zone (sort {$a cmp $b} @zones) {
 		my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $params->{'dir'}) : ($key);
 
+		my $dnskey = join(', ', get_dnskeytags($zone)) || '-';
 		for my $thiskey (@thiskeys) {
-			my $dnskey = $data{$zone}->{'dnskey'} || '-';
-			my $target = $data{$zone}->{$thiskey} || '-';
+			my $target = join(', ', $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone)) || '-';
 
 			if ($dnskey ne $target) {
-				push @warn, "$zone ($dnskey != $target)";
+				push @warn, "$zone ([$dnskey] != [$target])";
 			} else  {
 				push @ok, "$zone ($dnskey)";
 			};