Set return codes as needed for nagios / icinga

diff --git a/dnssec-check b/dnssec-check
index 5cf0d597cef2611ef87d0cd0d29928f185cb02bd..25a45acf844d1df9b96af98fc52d06ef2bbb361c 100755 (executable)
--- a/dnssec-check
+++ b/dnssec-check
@@ -22,10 +22,11 @@ def check_dnssec_expire(resolver, name, warn, crit):
     s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA)
     if 0 != s:
         ub_strerror(s)
-        return
+        return 3
 
     if not result.secure:
         print("CRIT (does not verify) %s" % (name, ))
+        return 2
 
     s, packet = ldns.ldns_wire2pkt(result.packet)
     rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
@@ -34,8 +35,11 @@ def check_dnssec_expire(resolver, name, warn, crit):
 
         if delta < crit:
             print("CRIT (expires in %s) %s" % (delta, name))
+            return 2
         elif delta < warn:
             print("WARN (expires in %s) %s" % (delta, name))
+            return 1
+    return 0
     
 
 def main():
@@ -59,10 +63,19 @@ def main():
     resolver = ub_ctx()
     resolver.add_ta_file(opts.ancor)
     encoding = sys.getfilesystemencoding()
-    
+
+    final = 0
     for name in  opts.names:
-        check_dnssec_expire(resolver, idn2dname(name.decode(encoding)),
-                            timedelta(opts.warn), timedelta(opts.crit))
+        result = check_dnssec_expire(resolver, idn2dname(name.decode(encoding)),
+                                     timedelta(opts.warn), timedelta(opts.crit))
+        if result == 2:
+            final = 2
+        elif result == 1 and final != 2:
+            final = 1
+        elif result == 3 and final not in [1, 2]:
+            final = 3
+
+    sys.exit(final)
 
 if __name__ == "__main__":
     main()