From fa48baccce197d52e773bc008a7a773d6e5c52f2 Mon Sep 17 00:00:00 2001 From: Christoph Egger Date: Wed, 29 Oct 2014 23:21:35 +0100 Subject: [PATCH] Also check DNSKEY records --- dnssec-check | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/dnssec-check b/dnssec-check index a14508d..ad3d08c 100755 --- a/dnssec-check +++ b/dnssec-check @@ -2,7 +2,7 @@ from __future__ import print_function import ldns -from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_RRSIG, ub_strerror +from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_DNSKEY, RR_TYPE_RRSIG, ub_strerror from optparse import OptionParser import sys from datetime import datetime, timedelta @@ -19,26 +19,28 @@ def parse_rrsig_expire(expirestring): return delta def check_dnssec_expire(resolver, name, warn, crit): - s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA) - if 0 != s: - ub_strerror(s) - return 3 + for rrtype in [RR_TYPE_SOA, RR_TYPE_DNSKEY]: + s, result = resolver.resolve(name, rrtype=rrtype) + if 0 != s: + ub_strerror(s) + return 3 - if not result.secure: - print("CRIT (does not verify) %s" % (name, )) - return 2 + if not result.secure: + print("CRIT (does not verify) %s" % (name, )) + return 2 - s, packet = ldns.ldns_wire2pkt(result.packet) - rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs() - for rrsig in rrsigs: - delta = parse_rrsig_expire(str(rrsig.rrsig_expiration())) + s, packet = ldns.ldns_wire2pkt(result.packet) + rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs() - if delta < crit: - print("CRIT (expires in %s) %s" % (delta, name)) - return 2 - elif delta < warn: - print("WARN (expires in %s) %s" % (delta, name)) - return 1 + for rrsig in rrsigs: + delta = parse_rrsig_expire(str(rrsig.rrsig_expiration())) + + if delta < crit: + print("CRIT (expires in %s) %s" % (delta, name)) + return 2 + elif delta < warn: + print("WARN (expires in %s) %s" % (delta, name)) + return 1 return 0 -- 2.39.5