X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=dsa-nagios-checks%2Fchecks%2Fdsa-check-dnssec-delegation;h=861dd9cad70b41b2a263dd35ea34022c2b131607;hb=f060cd469b7ae31ae606acb249210a9399fdbefe;hp=513b098794c91ff8b3a64d2c3395282a3e6d02f5;hpb=e0eb79fce1b07ee711930c2df9a5858daf0b6cc3;p=mirror%2Fdsa-nagios.git diff --git a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation index 513b098..861dd9c 100755 --- a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation +++ b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation @@ -26,17 +26,20 @@ use warnings; use English; use Net::DNS::Resolver; use Getopt::Long; +use File::Basename; $SIG{'__DIE__'} = sub { print @_; exit 4; }; my $RES = Net::DNS::Resolver->new; my $DLV = 'dlv.isc.org'; +my $params; sub get_tag_generic { my $zone = shift; my $type = shift; my @result; + print "Querying $type $zone\n" if $params->{'verbose'}; my $pkt = $RES->send($zone, $type); return () unless $pkt; return () unless $pkt->answer; @@ -78,19 +81,18 @@ sub has_dnskey_parent { $potential_parent = '.'; } + print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'}; my $pkt = $RES->send($potential_parent, 'DNSKEY'); return undef unless $pkt; return undef unless $pkt->header; - # try to find the zone start unless ($pkt->answer) { - #print "Looking for zone apex\n"; return undef unless $pkt->authority; for my $rr ($pkt->authority) { next unless ($rr->type eq 'SOA'); $potential_parent = $rr->name; - #print "Found it at $potential_parent\n"; + print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'}; $pkt = $RES->send($potential_parent, 'DNSKEY'); return undef unless $pkt; last; @@ -112,7 +114,7 @@ sub get_parent_dnssec_status { last unless defined $status; push @result, ($status ? "yes" : "no") . ("($parent)"); $zone = $parent; - last if $zone eq ""; + last if $zone eq "" || $zone eq '.'; }; return join(', ', @result); @@ -130,15 +132,15 @@ sub usage { sub what_to_check { my $zone = shift; - my $indir = shift; + my $zonefile = shift; my $do_dlv = 0; my $do_ds = 0; - open(F, "<", $indir."/".$zone) or die ("Cannot open zonefile for $zone: $!\n"); + open(F, "<", $zonefile) or die ("Cannot open zonefile $zonefile for $zone: $!\n"); while () { - if (/^;\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; } - if (/^;\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; } + if (/^[#;]\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; } + if (/^[#;]\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; } } close(F); @@ -148,12 +150,12 @@ sub what_to_check { return @keys; } -my $params; Getopt::Long::config('bundling'); GetOptions ( '--help' => \$params->{'help'}, - '--dir=s' => \$params->{'dir'}, + '--dir=s@' => \$params->{'dir'}, '--dlv=s' => \$params->{'dlv'}, + '--verbose' => \$params->{'verbose'}, ) or usage(\*STDERR, 1); usage(\*STDOUT, 0) if ($params->{'help'}); @@ -161,39 +163,46 @@ my $mode = shift @ARGV; usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/); die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'}); -my @zones; +my %zones; if (scalar @ARGV) { if (defined $params->{'dir'} && $mode ne 'check-header') { warn "--dir option ignored" } - @zones = @ARGV; + %zones = map { $_ => $_} @ARGV; } else { - my $dir = $params->{'dir'}; - usage(\*STDOUT, 0) unless (defined $dir); - - chdir $dir or die "chdir $dir failed? $!\n"; - opendir DIR, '.' or die ("Cannot opendir $dir\n"); - for my $file (readdir DIR) { - next if ( -l "$file" ); - next unless ( -f "$file" ); - next if $file =~ /^(dsset|keyset)-/; - - push @zones, $file; - } - closedir(DIR); + my $dirs = $params->{'dir'}; + usage(\*STDOUT, 0) unless (defined $dirs); + + for my $dir (@$dirs) { + chdir $dir or die "chdir $dir failed? $!\n"; + opendir DIR, '.' or die ("Cannot opendir $dir\n"); + for my $file (readdir DIR) { + next if ( -l "$file" ); + next unless ( -f "$file" ); + next if $file =~ /^(dsset|keyset)-/; + + my $zone = $file; + if ($file =~ /\.zone$/) { # it's one of our yaml things + $zone = basename($file, '.zone'); + }; + $zones{$zone} = "$dir/$file"; + } + closedir(DIR); + }; }; $DLV = $params->{'dlv'} if $params->{'dlv'}; -my %data; -for my $zone (@zones) { - $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)), - 'ds' => join(', ', get_dstags($zone)), - 'dlv' => join(', ', get_dlvtags($zone)), - 'parent_dnssec' => get_parent_dnssec_status($zone) }; -} if ($mode eq 'overview') { + my %data; + for my $zone (keys %zones) { + $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)), + 'ds' => join(', ', get_dstags($zone)), + 'dlv' => join(', ', get_dlvtags($zone)), + 'parent_dnssec' => get_parent_dnssec_status($zone) }; + } + my $format = "%60s %-10s %-10s %-10s %-10s\n"; printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent"; printf $format, "-"x 60, "-"x 10, "-"x 10, "-"x 10, "-"x 10; @@ -214,15 +223,15 @@ if ($mode eq 'overview') { my @warn; my @ok; - for my $zone (sort {$a cmp $b} keys %data) { - my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $params->{'dir'}) : ($key); + for my $zone (sort {$a cmp $b} keys %zones) { + my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $zones{$zone}) : ($key); + my $dnskey = join(', ', get_dnskeytags($zone)) || '-'; for my $thiskey (@thiskeys) { - my $dnskey = $data{$zone}->{'dnskey'} || '-'; - my $target = $data{$zone}->{$thiskey} || '-'; + my $target = join(', ', $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone)) || '-'; if ($dnskey ne $target) { - push @warn, "$zone ($dnskey != $target)"; + push @warn, "$zone ([$dnskey] != [$target])"; } else { push @ok, "$zone ($dnskey)"; };