]> git.siccegge.de Git - tools.git/blob - dnssec-check
projects / tools.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
add dnssec checkscript
[tools.git] / dnssec-check
1 #!/usr/bin/python
2
3 import ldns
4 import unbound
5 from optparse import OptionParser
6 import sys
7 from datetime import datetime, timedelta
8
9 def parse_rrsig_expire(expirestring):
10 expires = datetime(int(expirestring[:4]),
11 int(expirestring[4:6]),
12 int(expirestring[6:8]),
13 int(expirestring[8:10]),
14 int(expirestring[10:12]),
15 int(expirestring[12:14]))
16
17 delta = expires - datetime.utcnow()
18 return delta
19
20 def check_dnssec_expire(resolver, name, warn, crit):
21 s, result = resolver.resolve(name)
22 if 0 != s:
23 pass
24
25 s, packet = ldns.ldns_wire2pkt(result.packet)
26 rrsigs = packet.rr_list_by_type(unbound.RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
27 for rrsig in rrsigs:
28 delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
29
30 if delta < crit:
31 print "CRIT (%s) %s" % (delta, name)
32 elif delta < warn:
33 print "WARN (%s) %s" % (delta, name)
34
35
36 def main():
37 parser = OptionParser()
38 parser.add_option("-n", "--name",
39 action="append", type="string", dest="names",
40 help="DNS Names to check")
41 parser.add_option("-a", "--ancor",
42 action="store", type="string", dest="ancor",
43 default="/etc/unbound/root.key",
44 help="DNSSEC root ancor")
45 parser.add_option("-w", "--warning-days",
46 action="store", type=int, dest="warn", default=5,
47 help="minimum remaining validity in days before a warning is issued")
48 parser.add_option("-c", "--critical-days",
49 action="store", type=int, dest="crit", default=2,
50 help="minimum remaining validity in days before a warning is issued")
51
52
53 opts, _args = parser.parse_args()
54 resolver = unbound.ub_ctx()
55 resolver.add_ta_file(opts.ancor)
56
57 for name in opts.names:
58 check_dnssec_expire(resolver, name, timedelta(opts.warn), timedelta(opts.crit))
59
60 if __name__ == "__main__":
61 main()