]>
git.siccegge.de Git - tools.git/blob - dnssec-check
5cf0d597cef2611ef87d0cd0d29928f185cb02bd
3 from __future__
import print_function
5 from unbound
import ub_ctx
, idn2dname
, RR_TYPE_SOA
, RR_TYPE_RRSIG
, ub_strerror
6 from optparse
import OptionParser
8 from datetime
import datetime
, timedelta
10 def parse_rrsig_expire(expirestring
):
11 expires
= datetime(int(expirestring
[:4]),
12 int(expirestring
[4:6]),
13 int(expirestring
[6:8]),
14 int(expirestring
[8:10]),
15 int(expirestring
[10:12]),
16 int(expirestring
[12:14]))
18 delta
= expires
- datetime
.utcnow()
21 def check_dnssec_expire(resolver
, name
, warn
, crit
):
22 s
, result
= resolver
.resolve(name
, rrtype
=RR_TYPE_SOA
)
28 print("CRIT (does not verify) %s" % (name
, ))
30 s
, packet
= ldns
.ldns_wire2pkt(result
.packet
)
31 rrsigs
= packet
.rr_list_by_type(RR_TYPE_RRSIG
, ldns
.LDNS_SECTION_ANSWER
).rrs()
33 delta
= parse_rrsig_expire(str(rrsig
.rrsig_expiration()))
36 print("CRIT (expires in %s) %s" % (delta
, name
))
38 print("WARN (expires in %s) %s" % (delta
, name
))
42 parser
= OptionParser()
43 parser
.add_option("-n", "--name",
44 action
="append", type="string", dest
="names",
45 help="DNS Names to check")
46 parser
.add_option("-a", "--ancor",
47 action
="store", type="string", dest
="ancor",
48 default
="/etc/unbound/root.key",
49 help="DNSSEC root ancor")
50 parser
.add_option("-w", "--warning-days",
51 action
="store", type=int, dest
="warn", default
=5,
52 help="minimum remaining validity in days before a warning is issued")
53 parser
.add_option("-c", "--critical-days",
54 action
="store", type=int, dest
="crit", default
=2,
55 help="minimum remaining validity in days before a warning is issued")
58 opts
, _args
= parser
.parse_args()
60 resolver
.add_ta_file(opts
.ancor
)
61 encoding
= sys
.getfilesystemencoding()
63 for name
in opts
.names
:
64 check_dnssec_expire(resolver
, idn2dname(name
.decode(encoding
)),
65 timedelta(opts
.warn
), timedelta(opts
.crit
))
67 if __name__
== "__main__":