dsa-check-dnssec-delegation: Ignore revoked DNSKEYs in zone.

diff --git a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
index 676dce1..e614bf2 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
+++ b/dsa-nagios-checks/checks/dsa-check-dnssec-delegation
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 
-# Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>
+# Copyright (c) 2010, 2014, 2015 Peter Palfrader <peter@palfrader.org>
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -70,6 +70,12 @@ sub get_tag_generic {
                next unless (lc($rr->name) eq lc($zone));
 
                my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag;
+
+               if ($type eq 'DNSKEY' && ($rr->{'flags'} & (1<<(15-8)))) {
+                       # key is revoked
+                       next;
+               }
+
                # for now only handle KSKs, i.e. keys with the SEP flag set
                if ($type eq 'DNSKEY' && !($rr->is_sep)) {
                        push @zsks, $tag;

diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog
index cfede1d..7c5c0de 100644 (file)
--- a/dsa-nagios-checks/debian/changelog
+++ b/dsa-nagios-checks/debian/changelog
@@ -1,8 +1,8 @@
 dsa-nagios-checks (105) UNRELEASED; urgency=medium
 
-  * 
+  * dsa-check-dnssec-delegation: Ignore revoked DNSKEYs in zone.
 
- -- Peter Palfrader <weasel@debian.org>  Sun, 07 Dec 2014 14:51:48 +0100
+ -- Peter Palfrader <weasel@debian.org>  Fri, 02 Jan 2015 10:53:43 +0100
 
 dsa-nagios-checks (104) unstable; urgency=medium