From c0e20bfec90862d61b75687eb9ce8f1c85ea34c3 Mon Sep 17 00:00:00 2001 From: Christoph Egger Date: Wed, 29 Oct 2014 21:47:10 +0100 Subject: [PATCH] add dnssec checkscript --- dnssec-check | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 dnssec-check diff --git a/dnssec-check b/dnssec-check new file mode 100644 index 0000000..5753be1 --- /dev/null +++ b/dnssec-check @@ -0,0 +1,61 @@ +#!/usr/bin/python + +import ldns +import unbound +from optparse import OptionParser +import sys +from datetime import datetime, timedelta + +def parse_rrsig_expire(expirestring): + expires = datetime(int(expirestring[:4]), + int(expirestring[4:6]), + int(expirestring[6:8]), + int(expirestring[8:10]), + int(expirestring[10:12]), + int(expirestring[12:14])) + + delta = expires - datetime.utcnow() + return delta + +def check_dnssec_expire(resolver, name, warn, crit): + s, result = resolver.resolve(name) + if 0 != s: + pass + + s, packet = ldns.ldns_wire2pkt(result.packet) + rrsigs = packet.rr_list_by_type(unbound.RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs() + for rrsig in rrsigs: + delta = parse_rrsig_expire(str(rrsig.rrsig_expiration())) + + if delta < crit: + print "CRIT (%s) %s" % (delta, name) + elif delta < warn: + print "WARN (%s) %s" % (delta, name) + + +def main(): + parser = OptionParser() + parser.add_option("-n", "--name", + action="append", type="string", dest="names", + help="DNS Names to check") + parser.add_option("-a", "--ancor", + action="store", type="string", dest="ancor", + default="/etc/unbound/root.key", + help="DNSSEC root ancor") + parser.add_option("-w", "--warning-days", + action="store", type=int, dest="warn", default=5, + help="minimum remaining validity in days before a warning is issued") + parser.add_option("-c", "--critical-days", + action="store", type=int, dest="crit", default=2, + help="minimum remaining validity in days before a warning is issued") + + + opts, _args = parser.parse_args() + resolver = unbound.ub_ctx() + resolver.add_ta_file(opts.ancor) + + for name in opts.names: + check_dnssec_expire(resolver, name, timedelta(opts.warn), timedelta(opts.crit)) + +if __name__ == "__main__": + main() -- 2.39.5