]>
Commit | Line | Data |
---|---|---|
97787a9d IB |
1 | #!/usr/bin/env bash |
2 | ||
3 | # check_dnssec_expiry.sh | |
4 | # | |
5 | # Copyright 2017 by Mario Rimann <mario@rimann.org> | |
6 | # Licensed under the permissive MIT license, see LICENSE.md | |
7 | # | |
8 | # Development of this script was partially sponsored by my | |
9 | # employer internezzo, see http://www.internezzo.ch | |
10 | # | |
11 | # If this script helps you to make your work easier, please consider | |
12 | # to give feedback or do something good, see https://rimann.org/support | |
13 | ||
14 | usage() { | |
15 | cat - >&2 << _EOT_ | |
16 | usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>] | |
17 | ||
18 | -z <zone> | |
19 | specify zone to check | |
20 | -w <critical %> | |
21 | warning time left percentage | |
22 | -c <critical %> | |
23 | critical time left percentage | |
24 | -r <resolver> | |
25 | specify which resolver to use. | |
26 | -f <always failing domain> | |
27 | specify a domain that will always fail DNSSEC. | |
28 | used to test if DNSSEC is supported in used tools. | |
29 | -t <DNS record type to check> | |
30 | specify a DNS record type for calculating the remaining lifetime. | |
31 | For example SOA, A, etc. | |
32 | _EOT_ | |
33 | exit 255 | |
34 | } | |
35 | ||
36 | # Parse the input options | |
37 | while getopts ":z:w:c:r:f:h:t:" opt; do | |
38 | case $opt in | |
39 | z) | |
40 | zone=$OPTARG | |
41 | ;; | |
42 | w) | |
43 | warning=$OPTARG | |
44 | ;; | |
45 | c) | |
46 | critical=$OPTARG | |
47 | ;; | |
48 | r) | |
49 | resolver=$OPTARG | |
50 | ;; | |
51 | f) | |
52 | alwaysFailingDomain=$OPTARG | |
53 | ;; | |
54 | t) | |
55 | recordType=$OPTARG | |
56 | ;; | |
57 | h) | |
58 | usage ;; | |
59 | esac | |
60 | done | |
61 | ||
62 | ||
63 | # Check if dig is available at all - fail hard if not | |
64 | pathToDig=$( which dig ) | |
65 | if [[ ! -e $pathToDig ]]; then | |
66 | echo "No executable of dig found, cannot proceed without dig. Sorry!" | |
67 | exit 1 | |
68 | fi | |
69 | ||
70 | # Check if we got a zone to validate - fail hard if not | |
71 | if [[ -z $zone ]]; then | |
72 | echo "Missing zone to test - please provide a zone via the -z parameter." | |
73 | usage | |
74 | exit 3 | |
75 | fi | |
76 | ||
77 | # Check if we got warning/critical percentage values, use defaults if not | |
78 | if [[ -z $warning ]]; then | |
79 | warning=20 | |
80 | fi | |
81 | if [[ -z $critical ]]; then | |
82 | critical=10 | |
83 | fi | |
84 | ||
85 | ||
86 | # Use Google's 8.8.8.8 resolver as fallback if none is provided | |
87 | if [[ -z $resolver ]]; then | |
88 | resolver="8.8.8.8" | |
89 | fi | |
90 | ||
91 | if [[ -z $alwaysFailingDomain ]]; then | |
92 | alwaysFailingDomain="dnssec-failed.org" | |
93 | fi | |
94 | ||
95 | # Use SOA record type as fallback | |
96 | if [[ -z $recordType ]]; then | |
97 | recordType="SOA" | |
98 | fi | |
99 | ||
100 | # Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith) | |
101 | checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL") | |
102 | if [[ -z $checkResolverDoesDnssecValidation ]]; then | |
103 | echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now." | |
104 | exit 1 | |
105 | fi | |
106 | ||
107 | # Check if the resolver delivers an answer for the domain to test | |
108 | checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone) | |
109 | if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then | |
110 | ||
111 | checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd) | |
112 | ||
113 | if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then | |
114 | echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC." | |
115 | exit 2 | |
116 | else | |
117 | echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active." | |
118 | exit 2 | |
119 | fi | |
120 | fi | |
121 | ||
122 | # Check if the domain is DNSSEC signed at all | |
123 | # (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone) | |
124 | checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short ) | |
125 | if [[ -z $checkZoneItselfIsSignedAtAll ]]; then | |
126 | echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)" | |
127 | exit 1 | |
128 | fi | |
129 | ||
130 | ||
131 | # Check if there are multiple RRSIG responses and check them one after the other | |
132 | now=$(date +"%s") | |
133 | rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG ) | |
134 | if [[ -z $rrsigEntries ]]; then | |
135 | echo "CRITICAL: There is no RRSIG for the SOA of your zone." | |
136 | exit 2 | |
137 | else | |
138 | while read -r rrsig; do | |
139 | # Get the RRSIG entry and extract the date out of it | |
140 | expiryDateOfSignature=$( echo $rrsig | awk '{print $9}') | |
141 | checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}') | |
142 | if [[ -z $checkValidityOfExpirationTimestamp ]]; then | |
143 | echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please". | |
144 | exit 3 | |
145 | fi | |
146 | ||
147 | inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}') | |
148 | checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}') | |
149 | if [[ -z $checkValidityOfInceptionTimestamp ]]; then | |
150 | echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please". | |
151 | exit 3 | |
152 | fi | |
153 | ||
154 | # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards | |
155 | expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00" | |
156 | expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null ) | |
157 | if [[ $? -ne 0 ]]; then | |
158 | # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic... | |
159 | expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" ) | |
160 | fi | |
161 | inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00" | |
162 | inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null ) | |
163 | if [[ $? -ne 0 ]]; then | |
164 | # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic... | |
165 | inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" ) | |
166 | fi | |
167 | ||
168 | ||
169 | # calculate the remaining lifetime of the signature | |
170 | totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime) | |
171 | remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now) | |
172 | remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime) | |
173 | ||
174 | # store the result of this single RRSIG's check | |
175 | if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then | |
176 | maxRemainingLifetime=$remainingLifetimeOfSignature | |
177 | maxRemainingPercentage=$remainingPercentage | |
178 | fi | |
179 | done <<< "$rrsigEntries" | |
180 | fi | |
181 | ||
182 | ||
183 | ||
184 | ||
185 | # determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided | |
186 | if [[ $maxRemainingPercentage -lt $critical ]]; then | |
187 | echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | |
188 | exit 2 | |
189 | elif [[ $remainingPercentage -lt $warning ]]; then | |
190 | echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | |
191 | exit 1 | |
192 | else | |
193 | echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | |
194 | exit 0 | |
195 | fi |