dnssec-check

   1 #!/usr/bin/python
   2
   3 from __future__ import print_function
   4 import ldns
   5 from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_RRSIG, ub_strerror
   6 from optparse import OptionParser
   7 import sys
   8 from datetime import datetime, timedelta
   9
  10 def parse_rrsig_expire(expirestring):
  11     expires = datetime(int(expirestring[:4]),
  12                        int(expirestring[4:6]),
  13                        int(expirestring[6:8]),
  14                        int(expirestring[8:10]),
  15                        int(expirestring[10:12]),
  16                        int(expirestring[12:14]))
  17
  18     delta = expires - datetime.utcnow()
  19     return delta
  20
  21 def check_dnssec_expire(resolver, name, warn, crit):
  22     s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA)
  23     if 0 != s:
  24         ub_strerror(s)
  25         return 3
  26
  27     if not result.secure:
  28         print("CRIT (does not verify) %s" % (name, ))
  29         return 2
  30
  31     s, packet = ldns.ldns_wire2pkt(result.packet)
  32     rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
  33     for rrsig in rrsigs:
  34         delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
  35
  36         if delta < crit:
  37             print("CRIT (expires in %s) %s" % (delta, name))
  38             return 2
  39         elif delta < warn:
  40             print("WARN (expires in %s) %s" % (delta, name))
  41             return 1
  42     return 0
  43
  44
  45 def main():
  46     parser = OptionParser()
  47     parser.add_option("-n", "--name",
  48                       action="append", type="string", dest="names",
  49                       help="DNS Names to check")
  50     parser.add_option("-a", "--ancor",
  51                       action="store", type="string", dest="ancor",
  52                       default="/etc/unbound/root.key",
  53                       help="DNSSEC root ancor")
  54     parser.add_option("-w", "--warning-days",
  55                       action="store", type=int, dest="warn", default=5,
  56                       help="minimum remaining validity in days before a warning is issued")
  57     parser.add_option("-c", "--critical-days",
  58                       action="store", type=int, dest="crit", default=2,
  59                       help="minimum remaining validity in days before a warning is issued")
  60
  61
  62     opts, _args = parser.parse_args()
  63     resolver = ub_ctx()
  64     resolver.add_ta_file(opts.ancor)
  65     encoding = sys.getfilesystemencoding()
  66
  67     final = 0
  68     for name in  opts.names:
  69         result = check_dnssec_expire(resolver, idn2dname(name.decode(encoding)),
  70                                      timedelta(opts.warn), timedelta(opts.crit))
  71         if result == 2:
  72             final = 2
  73         elif result == 1 and final != 2:
  74             final = 1
  75         elif result == 3 and final not in [1, 2]:
  76             final = 3
  77
  78     sys.exit(final)
  79
  80 if __name__ == "__main__":
  81     main()