]>
git.siccegge.de Git - tools.git/blob - dnssec-check
5 from optparse
import OptionParser
7 from datetime
import datetime
, timedelta
9 def parse_rrsig_expire(expirestring
):
10 expires
= datetime(int(expirestring
[:4]),
11 int(expirestring
[4:6]),
12 int(expirestring
[6:8]),
13 int(expirestring
[8:10]),
14 int(expirestring
[10:12]),
15 int(expirestring
[12:14]))
17 delta
= expires
- datetime
.utcnow()
20 def check_dnssec_expire(resolver
, name
, warn
, crit
):
21 s
, result
= resolver
.resolve(name
)
25 s
, packet
= ldns
.ldns_wire2pkt(result
.packet
)
26 rrsigs
= packet
.rr_list_by_type(unbound
.RR_TYPE_RRSIG
, ldns
.LDNS_SECTION_ANSWER
).rrs()
28 delta
= parse_rrsig_expire(str(rrsig
.rrsig_expiration()))
31 print "CRIT (%s) %s" % (delta
, name
)
33 print "WARN (%s) %s" % (delta
, name
)
37 parser
= OptionParser()
38 parser
.add_option("-n", "--name",
39 action
="append", type="string", dest
="names",
40 help="DNS Names to check")
41 parser
.add_option("-a", "--ancor",
42 action
="store", type="string", dest
="ancor",
43 default
="/etc/unbound/root.key",
44 help="DNSSEC root ancor")
45 parser
.add_option("-w", "--warning-days",
46 action
="store", type=int, dest
="warn", default
=5,
47 help="minimum remaining validity in days before a warning is issued")
48 parser
.add_option("-c", "--critical-days",
49 action
="store", type=int, dest
="crit", default
=2,
50 help="minimum remaining validity in days before a warning is issued")
53 opts
, _args
= parser
.parse_args()
54 resolver
= unbound
.ub_ctx()
55 resolver
.add_ta_file(opts
.ancor
)
57 for name
in opts
.names
:
58 check_dnssec_expire(resolver
, name
, timedelta(opts
.warn
), timedelta(opts
.crit
))
60 if __name__
== "__main__":