From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 2 Jan 2015 09:53:37 +0000 (+0100)
Subject: dsa-check-dnssec-delegation: Ignore revoked DNSKEYs in zone.
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=9a62ca8615e7294014941c6f34357bafd1210b78;p=mirror%2Fdsa-nagios.git

dsa-check-dnssec-delegation: Ignore revoked DNSKEYs in zone.
---

diff --git a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
index 676dce1..e614bf2 100755
--- a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
+++ b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 
-# Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>
+# Copyright (c) 2010, 2014, 2015 Peter Palfrader <peter@palfrader.org>
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -70,6 +70,12 @@ sub get_tag_generic {
 		next unless (lc($rr->name) eq lc($zone));
 
 		my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag;
+
+		if ($type eq 'DNSKEY' && ($rr->{'flags'} & (1<<(15-8)))) {
+			# key is revoked
+			next;
+		}
+
 		# for now only handle KSKs, i.e. keys with the SEP flag set
 		if ($type eq 'DNSKEY' && !($rr->is_sep)) {
 			push @zsks, $tag;
diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog
index cfede1d..7c5c0de 100644
--- a/dsa-nagios-checks/debian/changelog
+++ b/dsa-nagios-checks/debian/changelog
@@ -1,8 +1,8 @@
 dsa-nagios-checks (105) UNRELEASED; urgency=medium
 
-  * 
+  * dsa-check-dnssec-delegation: Ignore revoked DNSKEYs in zone.
 
- -- Peter Palfrader <weasel@debian.org>  Sun, 07 Dec 2014 14:51:48 +0100
+ -- Peter Palfrader <weasel@debian.org>  Fri, 02 Jan 2015 10:53:43 +0100
 
 dsa-nagios-checks (104) unstable; urgency=medium