From: Peter Palfrader Date: Wed, 8 Jan 2014 19:21:47 +0000 (+0100) Subject: dsa-check-zone-rrsig-expiration* updates X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=b412d75a8ac1a8cc00c34e062f0525da0e4c033f;p=mirror%2Fdsa-nagios.git dsa-check-zone-rrsig-expiration* updates --- diff --git a/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration b/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration index a624426..7a92768 100755 --- a/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration +++ b/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration @@ -224,7 +224,7 @@ sub do_analyze { my $ND = sprintf "%3.1f days", ($min_exp-$NOW)/86400; warning("$min_type RRSIG expires in $ND at $min_ns") } - success(sprintf("No RRSIGs expiring in the next %3.1f days", $WARN/86400)); + success(sprintf("No RRSIGs at zone apex expiring in the next %3.1f days", $WARN/86400)); } sub sigrr_exp_epoch { diff --git a/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration-many b/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration-many index c411e4e..397bb83 100755 --- a/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration-many +++ b/dsa-nagios-checks/checks/dsa-check-zone-rrsig-expiration-many @@ -116,13 +116,12 @@ opendir INDIR, '.' or die ("Cannot opendir $INDIR\n"); for my $file (sort {$a cmp $b} (readdir INDIR)) { next if ( -l "$file" ); next unless ( -f "$file" ); - next if $file =~ /^(dsset|keyset)-/; - my $do_dnssec = 0; + my $do_dnssec = 1; my $initial_refs = undef; open(F, '<', $file) or die ("Cannot open $file: $!\n"); for () { - if (/^; wzf:\s*dnssec\s*=\s*1\s*$/) { $do_dnssec = 1; } + if (/^; wzf:\s*dnssec\s*=\s*0\s*$/) { $do_dnssec = 0; } if (/^; check-initial-refs\s*=\s*(.*?)\s*$/) { $initial_refs = $1; } }; close F; @@ -144,18 +143,9 @@ if (defined $params->{'geozonedir'}) { for my $file (sort {$a cmp $b} (readdir INDIR)) { next unless $file =~ /\.zone$/; - open (F, '<', $file) or die "Cannot open $file: $!\n"; - my ($zc, undef, undef) = Load(join "", ()); - close F; - my $zone = basename($file, '.zone'); - - if ($zc->{'dnssec'}) { - die "Duplicate zone $zone?\n" if exists $dnsseczones{$zone}; - $dnsseczones{$zone} = {}; - } else { - push @{$count->{'unsigned'}}, $zone; - }; + die "Duplicate zone $zone?\n" if exists $dnsseczones{$zone}; + $dnsseczones{$zone} = {}; } closedir(INDIR); } diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog index 7fa8ece..600ed93 100644 --- a/dsa-nagios-checks/debian/changelog +++ b/dsa-nagios-checks/debian/changelog @@ -12,6 +12,10 @@ dsa-nagios-checks (96) UNRELEASED; urgency=low - handle zones with no keys that have the SEP bit. - warn on all domains where parent has a non-empty DS bit that does not match ours, even if we did not expect it to have one at all. + * dsa-check-zone-rrsig-expiration-many: + - expect dnssec by default now. + * dsa-check-zone-rrsig-expiration: + - in the OK message, clarify we only check sigs at the zone apex. -- Peter Palfrader Tue, 23 Apr 2013 20:12:09 +0200