IDN + check for SOA instead for A record

 + IDN: normalize names from arguments
 + A records may not exist, use SOA record

diff --git a/dnssec-check b/dnssec-check
old mode 100644 (file)
new mode 100755 (executable)
index 5753be1..2b745da
--- a/dnssec-check
+++ b/dnssec-check
@@ -1,7 +1,8 @@
 #!/usr/bin/python
 
+from __future__ import print_function
 import ldns
-import unbound
+from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_RRSIG, ub_strerror
 from optparse import OptionParser
 import sys
 from datetime import datetime, timedelta
@@ -18,19 +19,20 @@ def parse_rrsig_expire(expirestring):
     return delta
 
 def check_dnssec_expire(resolver, name, warn, crit):
-    s, result = resolver.resolve(name)
+    s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA)
     if 0 != s:
-        pass
+        ub_strerror(s)
+        return
 
     s, packet = ldns.ldns_wire2pkt(result.packet)
-    rrsigs = packet.rr_list_by_type(unbound.RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
+    rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
     for rrsig in rrsigs:
         delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
 
         if delta < crit:
-            print "CRIT (%s) %s" % (delta, name)
+            print("CRIT (%s) %s" % (delta, name))
         elif delta < warn:
-            print "WARN (%s) %s" % (delta, name)
+            print("WARN (%s) %s" % (delta, name))
     
 
 def main():
@@ -51,11 +53,13 @@ def main():
     
         
     opts, _args = parser.parse_args()
-    resolver = unbound.ub_ctx()
+    resolver = ub_ctx()
     resolver.add_ta_file(opts.ancor)
+    encoding = sys.getfilesystemencoding()
     
     for name in  opts.names:
-        check_dnssec_expire(resolver, name, timedelta(opts.warn), timedelta(opts.crit))
+        check_dnssec_expire(resolver, idn2dname(name.decode(encoding)),
+                            timedelta(opts.warn), timedelta(opts.crit))
 
 if __name__ == "__main__":
     main()