From 352bbe893e3eb3fcfecc653e50c09f8b8e88d0d7 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 11 Oct 2014 09:43:08 +0200 Subject: [PATCH] dsa-check-soas: do some queries without RD set --- dsa-nagios-checks/checks/dsa-check-soas | 86 ++++++++++++++++++++++++- dsa-nagios-checks/debian/changelog | 3 +- 2 files changed, 86 insertions(+), 3 deletions(-) diff --git a/dsa-nagios-checks/checks/dsa-check-soas b/dsa-nagios-checks/checks/dsa-check-soas index 3b8e546..80f4924 100755 --- a/dsa-nagios-checks/checks/dsa-check-soas +++ b/dsa-nagios-checks/checks/dsa-check-soas @@ -1,6 +1,6 @@ #!/usr/bin/ruby -# Copyright 2006, 2012 Peter Palfrader +# Copyright 2006, 2012, 2014 Peter Palfrader # 2012 Uli Martens # # Permission is hereby granted, free of charge, to any person obtaining @@ -22,6 +22,35 @@ # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +# the each_resource function is lifted from ruby 1.9.1's resolv.rb, with the +# minor modification that we do not unconditionally set the message's RD flag +# to 1. Its license is: +# +# Copyright (C) 1993-2010 Yukihiro Matsumoto. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + + require 'ipaddr' require 'resolv' require 'optparse' @@ -53,6 +82,58 @@ if @additional_nameservers.count <= 1 and not @check_soa_nameservers exit(1) end +class DSADNS < Resolv::DNS + attr_reader :rd + attr_writer :rd + + def initialize(*args) + super + @rd = 1 + end + + def each_resource(name, typeclass, &proc) + lazy_initialize + requester = make_udp_requester + senders = {} + begin + @config.resolv(name) {|candidate, tout, nameserver, port| + msg = Message.new +puts @rd + msg.rd = @rd + msg.add_question(candidate, typeclass) + unless sender = senders[[candidate, nameserver, port]] + sender = senders[[candidate, nameserver, port]] = + requester.sender(msg, candidate, nameserver, port) + end + reply, reply_name = requester.request(sender, tout) + case reply.rcode + when RCode::NoError + if reply.tc == 1 and not Requester::TCP === requester + requester.close + # Retry via TCP: + requester = make_tcp_requester(nameserver, port) + senders = {} + # This will use TCP for all remaining candidates (assuming the + # current candidate does not already respond successfully via + # TCP). This makes sense because we already know the full + # response will not fit in an untruncated UDP packet. + redo + else + extract_resources(reply, reply_name, typeclass, &proc) + end + return + when RCode::NXDomain + raise Config::NXDomain.new(reply_name.to_s) + else + raise Config::OtherResolvError.new(reply_name.to_s) + end + } + ensure + requester.close + end + end +end + warnings = [] oks = [] @@ -94,7 +175,8 @@ ARGV.each{ |domain| addrs.each do |a| puts " Nameserver #{nameserver} is at #{a}" if @verbose > 0 begin - resolver = Resolv::DNS.new({:nameserver => a}) + resolver = DSADNS.new({:nameserver => a}) + resolver.rd = 0 soas = resolver.getresources(domain, Resolv::DNS::Resource::IN::SOA) rescue SystemCallError => e warnings << "Could not resolve #{domain} on #{nameserver}: #{e.message}" diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog index ab6f1b4..a673c8c 100644 --- a/dsa-nagios-checks/debian/changelog +++ b/dsa-nagios-checks/debian/changelog @@ -7,12 +7,13 @@ dsa-nagios-checks (101) UNRELEASED; urgency=low RRSIG on the DS record instead of a referral (rcode0's for instance). * dsa-check-hpasm: Support supplying a list of things for which failures are ignored. + * dsa-check-soas: do some queries without RD set. [ Hendrik Köhler ] * Extend dsa-check-entropy output so Icinga2 can process performance data (e.g. used by Graphite). - -- Peter Palfrader Tue, 01 Jul 2014 18:34:23 +0200 + -- Peter Palfrader Sat, 11 Oct 2014 09:43:01 +0200 dsa-nagios-checks (100) unstable; urgency=low -- 2.20.1