dnssec-check

   1 #!/usr/bin/python
   2
   3 from __future__ import print_function
   4 import ldns
   5 from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_RRSIG, ub_strerror
   6 from optparse import OptionParser
   7 import sys
   8 from datetime import datetime, timedelta
   9
  10 def parse_rrsig_expire(expirestring):
  11     expires = datetime(int(expirestring[:4]),
  12                        int(expirestring[4:6]),
  13                        int(expirestring[6:8]),
  14                        int(expirestring[8:10]),
  15                        int(expirestring[10:12]),
  16                        int(expirestring[12:14]))
  17
  18     delta = expires - datetime.utcnow()
  19     return delta
  20
  21 def check_dnssec_expire(resolver, name, warn, crit):
  22     s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA)
  23     if 0 != s:
  24         ub_strerror(s)
  25         return
  26
  27     s, packet = ldns.ldns_wire2pkt(result.packet)
  28     rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
  29     for rrsig in rrsigs:
  30         delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
  31
  32         if delta < crit:
  33             print("CRIT (%s) %s" % (delta, name))
  34         elif delta < warn:
  35             print("WARN (%s) %s" % (delta, name))
  36
  37
  38 def main():
  39     parser = OptionParser()
  40     parser.add_option("-n", "--name",
  41                       action="append", type="string", dest="names",
  42                       help="DNS Names to check")
  43     parser.add_option("-a", "--ancor",
  44                       action="store", type="string", dest="ancor",
  45                       default="/etc/unbound/root.key",
  46                       help="DNSSEC root ancor")
  47     parser.add_option("-w", "--warning-days",
  48                       action="store", type=int, dest="warn", default=5,
  49                       help="minimum remaining validity in days before a warning is issued")
  50     parser.add_option("-c", "--critical-days",
  51                       action="store", type=int, dest="crit", default=2,
  52                       help="minimum remaining validity in days before a warning is issued")
  53
  54
  55     opts, _args = parser.parse_args()
  56     resolver = ub_ctx()
  57     resolver.add_ta_file(opts.ancor)
  58     encoding = sys.getfilesystemencoding()
  59
  60     for name in  opts.names:
  61         check_dnssec_expire(resolver, idn2dname(name.decode(encoding)),
  62                             timedelta(opts.warn), timedelta(opts.crit))
  63
  64 if __name__ == "__main__":
  65     main()