Skip to content
This repository has been archived by the owner on Dec 12, 2023. It is now read-only.

Commit

Permalink
check_zone_rrsig_expiration: Updateing to 1.11
Browse files Browse the repository at this point in the history
  • Loading branch information
@waja
waja committed Sep 29, 2014
1 parent 6d9f7c6 commit f753009
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 10 deletions.
29 changes: 20 additions & 9 deletions check_zone_rrsig_expiration/check_zone_rrsig_expiration
View file
@@ -1,6 +1,6 @@
#!/usr/bin/perl

# $Id: check_zone_rrsig_expiration,v 1.10 2011/01/04 22:27:26 wessels Exp $
# $Id: check_zone_rrsig_expiration,v 1.11 2014/05/23 17:37:52 wessels Exp $
#
# check_zone_rrsig_expiration
#
Expand Down Expand Up @@ -74,8 +74,9 @@ use List::Util qw ( shuffle );
# -d debug
# -C days Critical if expiring in this many days
# -W days Warning if expiring in this many days
my %opts = (t=>30, C=>2, W=>3);
getopts('Z:dt:W:C:', \%opts);
# -T type Query type (default SOA)
my %opts = (t=>30, C=>2, W=>3, T=>'SOA');
getopts('Z:dt:W:C:T:', \%opts);
usage() unless $opts{Z};
usage() if $opts{h};
my $zone = $opts{Z};
Expand Down Expand Up @@ -114,18 +115,21 @@ sub do_recursion {
print STDERR "\nRECURSE\n" if $opts{d};
my $pkt;
foreach my $ns (shuffle @refs) {
print STDERR "sending query for $zone RRSIG to $ns\n" if $opts{d};
print STDERR "sending query for $zone $opts{T} to $ns\n" if $opts{d};
$res->nameserver($ns);
$res->udp_timeout($opts{t});
$res->recurse(0);
$res->dnssec(1);
$res->udppacketsize(4096);
$pkt = $res->send($zone, 'RRSIG');
$pkt = $res->send($zone, $opts{T});
last if $pkt;
}
critical("No response to seed query") unless $pkt;
critical($pkt->header->rcode . " from " . $pkt->answerfrom)
unless ($pkt->header->rcode eq 'NOERROR');
@refs = ();
foreach my $rr ($pkt->authority) {
next unless $rr->type eq 'NS';
print STDERR $rr->string, "\n" if $opts{d};
push (@refs, $rr->nsdname);
next unless names_equal($rr->name, $zone);
Expand All @@ -144,9 +148,9 @@ sub do_queries {
next if $data->{$ns}->{done};
print STDERR "\nQUERY $ns\n" if $opts{d};

my $pkt = send_query($zone, 'RRSIG', $ns);
my $pkt = send_query($zone, $opts{T}, $ns);
add_nslist_to_data($pkt);
$data->{$ns}->{queries}->{RRSIG} = $pkt;
$data->{$ns}->{queries}->{$opts{T}} = $pkt;

print STDERR "done with $ns\n" if $opts{d};
$data->{$ns}->{done} = 1;
Expand All @@ -161,7 +165,7 @@ sub do_analyze {
my %MAX_EXP_BY_TYPE;
foreach my $ns (keys %$data) {
print STDERR "\nANALYZE $ns\n" if $opts{d};
my $pkt = $data->{$ns}->{queries}->{RRSIG};
my $pkt = $data->{$ns}->{queries}->{$opts{T}};
critical("No response from $ns") unless $pkt;
print STDERR $pkt->string if $opts{d};
critical($pkt->header->rcode . " from $ns")
Expand Down Expand Up @@ -250,7 +254,12 @@ sub output {
}

sub usage {
print STDERR "usage: $0 -Z zone\n";
print STDERR "usage: $0 -Z zone -d -t timeout -W days -C days\n";
print STDERR "\t-Z zone zone to test\n";
print STDERR "\t-d debug\n";
print STDERR "\t-t seconds timeout on DNS queries\n";
print STDERR "\t-W days warning threshhold\n";
print STDERR "\t-C days critical threshold\n";
exit 3;
}

Expand All @@ -262,6 +271,8 @@ sub send_query {
$res->nameserver($server) if $server;
$res->udp_timeout($opts{t});
$res->retry(2);
$res->recurse(0);
$res->dnssec(1);
$res->udppacketsize(4096);
my $pkt = $res->send($qname, $qtype);
unless ($pkt) {
Expand Down
2 changes: 1 addition & 1 deletion check_zone_rrsig_expiration/control
View file
Expand Up @@ -4,4 +4,4 @@ Uploaders: Bernd Zeimetz <bzed@debian.org>
Description: plugin to check for expiration of
signatures in dnssec-enabled zones.
Recommends: libnet-dns-perl, libnet-dns-sec-perl
Version: 1.10
Version: 1.11

0 comments on commit f753009

Please sign in to comment.