From 60602036d9381eaeca370cf93568b20518cea65d Mon Sep 17 00:00:00 2001 From: Christoph Egger Date: Wed, 29 Oct 2014 22:01:32 +0100 Subject: [PATCH] IDN + check for SOA instead for A record + IDN: normalize names from arguments + A records may not exist, use SOA record --- dnssec-check | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) mode change 100644 => 100755 dnssec-check diff --git a/dnssec-check b/dnssec-check old mode 100644 new mode 100755 index 5753be1..2b745da --- a/dnssec-check +++ b/dnssec-check @@ -1,7 +1,8 @@ #!/usr/bin/python +from __future__ import print_function import ldns -import unbound +from unbound import ub_ctx, idn2dname, RR_TYPE_SOA, RR_TYPE_RRSIG, ub_strerror from optparse import OptionParser import sys from datetime import datetime, timedelta @@ -18,19 +19,20 @@ def parse_rrsig_expire(expirestring): return delta def check_dnssec_expire(resolver, name, warn, crit): - s, result = resolver.resolve(name) + s, result = resolver.resolve(name, rrtype=RR_TYPE_SOA) if 0 != s: - pass + ub_strerror(s) + return s, packet = ldns.ldns_wire2pkt(result.packet) - rrsigs = packet.rr_list_by_type(unbound.RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs() + rrsigs = packet.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER).rrs() for rrsig in rrsigs: delta = parse_rrsig_expire(str(rrsig.rrsig_expiration())) if delta < crit: - print "CRIT (%s) %s" % (delta, name) + print("CRIT (%s) %s" % (delta, name)) elif delta < warn: - print "WARN (%s) %s" % (delta, name) + print("WARN (%s) %s" % (delta, name)) def main(): @@ -51,11 +53,13 @@ def main(): opts, _args = parser.parse_args() - resolver = unbound.ub_ctx() + resolver = ub_ctx() resolver.add_ta_file(opts.ancor) + encoding = sys.getfilesystemencoding() for name in opts.names: - check_dnssec_expire(resolver, name, timedelta(opts.warn), timedelta(opts.crit)) + check_dnssec_expire(resolver, idn2dname(name.decode(encoding)), + timedelta(opts.warn), timedelta(opts.crit)) if __name__ == "__main__": main() -- 2.39.2