do {
print STDERR "\nRECURSE\n" if $opts{d};
my $pkt;
+ my $prettyrefs = (scalar @refs) ? join(", ", @refs) : "root servers";
foreach my $ns (shuffle @refs) {
- print STDERR "sending query for $zone RRSIG to $ns\n" if $opts{d};
+ print STDERR "sending query for $zone SOA to $ns\n" if $opts{d};
$res->nameserver($ns);
$res->udp_timeout($opts{t});
$res->udppacketsize($opts{s});
- $pkt = $res->send($zone, 'RRSIG');
+ $pkt = $res->send($zone, 'SOA');
last if $pkt;
}
- critical("No response to seed query") unless $pkt;
+ print STDERR "No response to seed query for $zone SOA from $prettyrefs, retrying.\n" if $opts{d};
+ critical("No response to seed query for $zone from $prettyrefs.") unless $pkt;
critical($pkt->header->rcode . " from " . $pkt->answerfrom)
unless ($pkt->header->rcode eq 'NOERROR');
@refs = ();
foreach my $rr ($pkt->authority) {
print STDERR $rr->string, "\n" if $opts{d};
- push (@refs, $rr->nsdname);
+ push (@refs, $rr->nsdname) if $rr->type eq 'NS';
next unless lc($rr->name) eq lc($zone);
add_nslist_to_data($pkt);
$done = 1;
}
+ critical("No new references after querying for $zone SOA from $prettyrefs. Packet was ".$pkt->string) unless (scalar @refs);
} while (! $done);
}
$n = 0;
foreach my $ns (keys %$data) {
next if $data->{$ns}->{done};
- print STDERR "\nQUERY $ns\n" if $opts{d};
+ print STDERR "\nQUERY \@$ns SOA $zone\n" if $opts{d};
- my $pkt = send_query($zone, 'RRSIG', $ns);
+ my $pkt = send_query($zone, 'SOA', $ns);
add_nslist_to_data($pkt);
- $data->{$ns}->{queries}->{RRSIG} = $pkt;
+ $data->{$ns}->{queries}->{SOA} = $pkt;
print STDERR "done with $ns\n" if $opts{d};
$data->{$ns}->{done} = 1;
my %MAX_EXP_BY_TYPE;
foreach my $ns (keys %$data) {
print STDERR "\nANALYZE $ns\n" if $opts{d};
- my $pkt = $data->{$ns}->{queries}->{RRSIG};
+ my $pkt = $data->{$ns}->{queries}->{SOA};
critical("No response from $ns") unless $pkt;
print STDERR $pkt->string if $opts{d};
critical($pkt->header->rcode . " from $ns")
my $res = Net::DNS::Resolver->new;
$res->nameserver($server) if $server;
$res->udp_timeout($opts{t});
+ $res->udp_timeout($opts{t});
+ $res->dnssec(1);
$res->retry(2);
$res->udppacketsize($opts{s});
my $pkt = $res->send($qname, $qtype);
dsa-nagios-checks (101) UNRELEASED; urgency=low
* dsa-check-zone-rrsig-expiration-many: add --debug option to pass through.
+ * dsa-check-zone-rrsig-expiration: Do not ask for RRSIG directly, instead
+ ask for SOA with dnssec data. Apparently some nameservers do give you the
+ RRSIG on the DS record instead of a referral (rcode0's for instance).
- -- Peter Palfrader <weasel@debian.org> Tue, 20 May 2014 13:54:29 +0200
+ -- Peter Palfrader <weasel@debian.org> Tue, 20 May 2014 13:58:00 +0200
dsa-nagios-checks (100) unstable; urgency=low