X-Git-Url: https://git.siccegge.de//index.cgi?a=blobdiff_plain;f=dnssec-check;h=25a45acf844d1df9b96af98fc52d06ef2bbb361c;hb=ea7c04d67335bf6398e67d18b332fdcd620cdc4e;hp=2b745daac5027944e03123ccae88add68248c1c3;hpb=60602036d9381eaeca370cf93568b20518cea65d;p=tools.git diff --git a/dnssec-check b/dnssec-check index 2b745da..25a45ac 100755 --- a/dnssec-check +++ b/dnssec-check @@ -22,7 +22,11 @@ def check_dnssec_expire(resolver, name, warn, crit): s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA) if 0 != s: ub_strerror(s) - return + return 3 + + if not result.secure: + print("CRIT (does not verify) %s" % (name, )) + return 2 s, packet = ldns.ldns_wire2pkt(result.packet) rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs() @@ -30,9 +34,12 @@ def check_dnssec_expire(resolver, name, warn, crit): delta = parse_rrsig_expire(str(rrsig.rrsig_expiration())) if delta < crit: - print("CRIT (%s) %s" % (delta, name)) + print("CRIT (expires in %s) %s" % (delta, name)) + return 2 elif delta < warn: - print("WARN (%s) %s" % (delta, name)) + print("WARN (expires in %s) %s" % (delta, name)) + return 1 + return 0 def main(): @@ -56,10 +63,19 @@ def main(): resolver = ub_ctx() resolver.add_ta_file(opts.ancor) encoding = sys.getfilesystemencoding() - + + final = 0 for name in opts.names: - check_dnssec_expire(resolver, idn2dname(name.decode(encoding)), - timedelta(opts.warn), timedelta(opts.crit)) + result = check_dnssec_expire(resolver, idn2dname(name.decode(encoding)), + timedelta(opts.warn), timedelta(opts.crit)) + if result == 2: + final = 2 + elif result == 1 and final != 2: + final = 1 + elif result == 3 and final not in [1, 2]: + final = 3 + + sys.exit(final) if __name__ == "__main__": main()