from __future__ import print_function
import ldns
-from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_RRSIG, ub_strerror
+from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_DNSKEY, RR_TYPE_RRSIG, ub_strerror
from optparse import OptionParser
import sys
from datetime import datetime, timedelta
return delta
def check_dnssec_expire(resolver, name, warn, crit):
- s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA)
- if 0 != s:
- ub_strerror(s)
- return 3
+ for rrtype in [RR_TYPE_SOA, RR_TYPE_DNSKEY]:
+ s, result = resolver.resolve(name, rrtype=rrtype)
+ if 0 != s:
+ ub_strerror(s)
+ return 3
- if not result.secure:
- print("CRIT (does not verify) %s" % (name, ))
- return 2
+ if not result.secure:
+ print("CRIT (does not verify) %s" % (name, ))
+ return 2
- s, packet = ldns.ldns_wire2pkt(result.packet)
- rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
- for rrsig in rrsigs:
- delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
+ s, packet = ldns.ldns_wire2pkt(result.packet)
+ rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
- if delta < crit:
- print("CRIT (expires in %s) %s" % (delta, name))
- return 2
- elif delta < warn:
- print("WARN (expires in %s) %s" % (delta, name))
- return 1
+ for rrsig in rrsigs:
+ delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
+
+ if delta < crit:
+ print("CRIT (expires in %s) %s" % (delta, name))
+ return 2
+ elif delta < warn:
+ print("WARN (expires in %s) %s" % (delta, name))
+ return 1
return 0
projects / tools.git / commitdiff