my $ND = sprintf "%3.1f days", ($min_exp-$NOW)/86400;
warning("$min_type RRSIG expires in $ND at $min_ns")
}
- success(sprintf("No RRSIGs expiring in the next %3.1f days", $WARN/86400));
+ success(sprintf("No RRSIGs at zone apex expiring in the next %3.1f days", $WARN/86400));
}
sub sigrr_exp_epoch {
for my $file (sort {$a cmp $b} (readdir INDIR)) {
next if ( -l "$file" );
next unless ( -f "$file" );
- next if $file =~ /^(dsset|keyset)-/;
- my $do_dnssec = 0;
+ my $do_dnssec = 1;
my $initial_refs = undef;
open(F, '<', $file) or die ("Cannot open $file: $!\n");
for (<F>) {
- if (/^; wzf:\s*dnssec\s*=\s*1\s*$/) { $do_dnssec = 1; }
+ if (/^; wzf:\s*dnssec\s*=\s*0\s*$/) { $do_dnssec = 0; }
if (/^; check-initial-refs\s*=\s*(.*?)\s*$/) { $initial_refs = $1; }
};
close F;
for my $file (sort {$a cmp $b} (readdir INDIR)) {
next unless $file =~ /\.zone$/;
- open (F, '<', $file) or die "Cannot open $file: $!\n";
- my ($zc, undef, undef) = Load(join "", (<F>));
- close F;
-
my $zone = basename($file, '.zone');
-
- if ($zc->{'dnssec'}) {
- die "Duplicate zone $zone?\n" if exists $dnsseczones{$zone};
- $dnsseczones{$zone} = {};
- } else {
- push @{$count->{'unsigned'}}, $zone;
- };
+ die "Duplicate zone $zone?\n" if exists $dnsseczones{$zone};
+ $dnsseczones{$zone} = {};
}
closedir(INDIR);
}
- handle zones with no keys that have the SEP bit.
- warn on all domains where parent has a non-empty DS bit that does
not match ours, even if we did not expect it to have one at all.
+ * dsa-check-zone-rrsig-expiration-many:
+ - expect dnssec by default now.
+ * dsa-check-zone-rrsig-expiration:
+ - in the OK message, clarify we only check sigs at the zone apex.
-- Peter Palfrader <weasel@debian.org> Tue, 23 Apr 2013 20:12:09 +0200