Check if result is considered secure as well

author Christoph Egger <christoph@anonymous.siccegge.de>

Wed, 29 Oct 2014 21:04:50 +0000 (22:04 +0100)

committer Christoph Egger <christoph@anonymous.siccegge.de>

Wed, 29 Oct 2014 21:04:50 +0000 (22:04 +0100)
author Christoph Egger <christoph@anonymous.siccegge.de>
Wed, 29 Oct 2014 21:04:50 +0000 (22:04 +0100)
committer Christoph Egger <christoph@anonymous.siccegge.de>
Wed, 29 Oct 2014 21:04:50 +0000 (22:04 +0100)
diff --git a/dnssec-check b/dnssec-check

index 2b745daac5027944e03123ccae88add68248c1c3..5cf0d597cef2611ef87d0cd0d29928f185cb02bd 100755 (executable)
--- a/dnssec-check
+++ b/dnssec-check
@@ -24,15 +24,18 @@ def check_dnssec_expire(resolver, name, warn, crit):
          ub_strerror(s)
          return
  
          ub_strerror(s)
          return
  
+    if not result.secure:
+        print("CRIT (does not verify) %s" % (name, ))
+
      s, packet = ldns.ldns_wire2pkt(result.packet)
      rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
      for rrsig in rrsigs:
          delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
  
          if delta < crit:
      s, packet = ldns.ldns_wire2pkt(result.packet)
      rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs()
      for rrsig in rrsigs:
          delta = parse_rrsig_expire(str(rrsig.rrsig_expiration()))
  
          if delta < crit:
-            print("CRIT (%s) %s" % (delta, name))
+            print("CRIT (expires in %s) %s" % (delta, name))
          elif delta < warn:
          elif delta < warn:
-            print("WARN (%s) %s" % (delta, name))
+            print("WARN (expires in %s) %s" % (delta, name))
      
  
  def main():
      
  
  def main():
author	Christoph Egger <christoph@anonymous.siccegge.de>
	Wed, 29 Oct 2014 21:04:50 +0000 (22:04 +0100)
committer	Christoph Egger <christoph@anonymous.siccegge.de>
	Wed, 29 Oct 2014 21:04:50 +0000 (22:04 +0100)