Add dsa-check-zone-signature-all

diff --git a/dsa-nagios-checks/checks/dsa-check-zone-signature-all b/dsa-nagios-checks/checks/dsa-check-zone-signature-all
new file mode 100755 (executable)
index 0000000..45e4399
--- /dev/null
+++ b/dsa-nagios-checks/checks/dsa-check-zone-signature-all
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# For each zone (each file in $BASE), fetches the zone from the
+# nameserver via AXFR and feeds it to bind's dnssec-verify to see of things are
+# sane.
+#
+# By default BASE is set via the indir option from the yaml file /etc/dns-helpers.yaml
+
+# Copyright 2016 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+set -e
+set -u
+
+BASE=$(perl -mYAML -e 'my ($hashref, $arrayref, $string) = YAML::LoadFile($ARGV[0]); print $hashref->{'indir'},"\n"' /etc/dns-helpers.yaml)
+if [ -z "$BASE" ] || ! [ -d "$BASE" ] ; then
+       echo "Basedir $BASE is not a directory."
+       exit 3
+fi
+
+EXTRA="-b 127.0.0.1"
+MASTER=$(hostname -f)
+
+zones=$(mktemp)
+tmp=$(mktemp)
+extra=$(mktemp)
+trap "rm -f '$zones' '$tmp' '$extra'" EXIT
+
+err=0
+errmsg=""
+num=0
+
+for zone in $(find "$BASE" -maxdepth 1 -mindepth 1 -type f -printf "%f\n" | sort); do
+       if dig $EXTRA -t axfr @"$MASTER" "$zone" | /usr/sbin/dnssec-verify -o "$zone" /dev/stdin > "$tmp" 2>&1; then
+               num=$((num + 1))
+       else
+               err=2
+               errmsg="$errmsg $zone"
+               cat "$tmp" >> "$extra"
+       fi
+done < "$zones"
+
+if [ "$err" = 0 ]; then
+       if [ "$num" = 0 ]; then
+               echo "OK: No zones found?"
+               err=1
+       else
+               echo "OK: $num zones appear to be OK."
+       fi
+else
+       echo "CRITICAL:$errmsg"
+       cat "$extra"
+fi
+exit "$err"

diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog
index d3b1647..c4626d0 100644 (file)
--- a/dsa-nagios-checks/debian/changelog
+++ b/dsa-nagios-checks/debian/changelog
@@ -35,6 +35,7 @@ dsa-nagios-checks (108+XXXX) UNRELEASED; urgency=medium
   * dsa-check-zone-rrsig-expiration-many: remove | (which starts performance
     data) in detail output.
   * dsa-check-zone-rrsig-expiration-many: sort zone details by state.
+  * dsa-check-zone-signature-all: add.
 
   [ Tollef Fog Heen ]
   * dsa-update-unowned-file-status: ignore fdescfs, used for /dev/fd on
@@ -47,7 +48,7 @@ dsa-nagios-checks (108+XXXX) UNRELEASED; urgency=medium
   * Add dsa-check-hpssacli, replaces hpacucli for new hosts.
   * dsa-check-hpssacli: accept 12.0Gbps as transfer speed for SAS
 
- -- Peter Palfrader <weasel@debian.org>  Wed, 27 Jul 2016 10:31:06 +0200
+ -- Peter Palfrader <weasel@debian.org>  Mon, 14 Nov 2016 15:36:09 +0100
 
 dsa-nagios-checks (108) unstable; urgency=medium