--- /dev/null
+#!/bin/bash
+
+set -e
+set -u
+
+not_valid=""
+for key in $(find /var/lib/unbound -type f) ; do
+ if ! grep -v '^;' "$key" | grep -q '\[ VALID \]'; then
+ not_valid="$not_valid $(basename "$key" .key)"
+ fi
+done
+if [ -n "$not_valid" ]; then
+ echo "Warning: no valid trust anchors found for$not_valid."
+ exit 1
+fi
+
+old_anchors=$(find /var/lib/unbound -type f -mtime +5)
+if [ -n "$old_anchors" ]; then
+ echo "Warning: Some keys are old: $old_anchors."
+ exit 1
+fi
+
+
+echo "OK: All keys in /var/lib/unbound recent and valid"
+exit 0
dsa-nagios-checks (117) UNRELEASED; urgency=medium
* dsa-check-hpssacli: add --ignore-cache
+ * add: dsa-check-unbound-anchors
-- Peter Palfrader <weasel@debian.org> Sun, 11 Mar 2018 09:06:13 +0100