3 # check_dnssec_expiry.sh
5 # Copyright 2017 by Mario Rimann <mario@rimann.org>
6 # Licensed under the permissive MIT license, see LICENSE.md
8 # Development of this script was partially sponsored by my
9 # employer internezzo, see http://www.internezzo.ch
11 # If this script helps you to make your work easier, please consider
12 # to give feedback or do something good, see https://rimann.org/support
16 usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
21 warning time left percentage
23 critical time left percentage
25 specify which resolver to use.
26 -f <always failing domain>
27 specify a domain that will always fail DNSSEC.
28 used to test if DNSSEC is supported in used tools.
29 -t <DNS record type to check>
30 specify a DNS record type for calculating the remaining lifetime.
31 For example SOA, A, etc.
36 # Parse the input options
37 while getopts ":z:w:c:r:f:h:t:" opt
; do
52 alwaysFailingDomain
=$OPTARG
63 # Check if dig is available at all - fail hard if not
64 pathToDig
=$( which dig )
65 if [[ ! -e $pathToDig ]]; then
66 echo "No executable of dig found, cannot proceed without dig. Sorry!"
70 # Check if we got a zone to validate - fail hard if not
71 if [[ -z $zone ]]; then
72 echo "Missing zone to test - please provide a zone via the -z parameter."
77 # Check if we got warning/critical percentage values, use defaults if not
78 if [[ -z $warning ]]; then
81 if [[ -z $critical ]]; then
86 # Use Google's 8.8.8.8 resolver as fallback if none is provided
87 if [[ -z $resolver ]]; then
91 if [[ -z $alwaysFailingDomain ]]; then
92 alwaysFailingDomain
="dnssec-failed.org"
95 # Use SOA record type as fallback
96 if [[ -z $recordType ]]; then
100 # Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
101 checkResolverDoesDnssecValidation
=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
102 if [[ -z $checkResolverDoesDnssecValidation ]]; then
103 echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
107 # Check if the resolver delivers an answer for the domain to test
108 checkDomainResolvableWithDnssecEnabledResolver
=$(dig +short @${resolver} SOA $zone)
109 if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
111 checkDomainResolvableWithDnssecValidationExplicitelyDisabled
=$(dig +short @${resolver} SOA $zone +cd)
113 if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
114 echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
117 echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
122 # Check if the domain is DNSSEC signed at all
123 # (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
124 checkZoneItselfIsSignedAtAll
=$( dig $zone @$resolver DS +short )
125 if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
126 echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
131 # Check if there are multiple RRSIG responses and check them one after the other
133 rrsigEntries
=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
134 if [[ -z $rrsigEntries ]]; then
135 echo "CRITICAL: There is no RRSIG for the SOA of your zone."
138 while read -r rrsig
; do
139 # Get the RRSIG entry and extract the date out of it
140 expiryDateOfSignature
=$( echo $rrsig | awk '{print $9}')
141 checkValidityOfExpirationTimestamp
=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
142 if [[ -z $checkValidityOfExpirationTimestamp ]]; then
143 echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
147 inceptionDateOfSignature
=$( echo $rrsig | awk '{print $10}')
148 checkValidityOfInceptionTimestamp
=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
149 if [[ -z $checkValidityOfInceptionTimestamp ]]; then
150 echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
154 # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
155 expiryDateAsString
="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
156 expiryDateOfSignatureAsUnixTime
=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
157 if [[ $?
-ne 0 ]]; then
158 # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
159 expiryDateOfSignatureAsUnixTime
=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
161 inceptionDateAsString
="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
162 inceptionDateOfSignatureAsUnixTime
=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
163 if [[ $?
-ne 0 ]]; then
164 # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
165 inceptionDateOfSignatureAsUnixTime
=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
169 # calculate the remaining lifetime of the signature
170 totalLifetime
=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
171 remainingLifetimeOfSignature
=$( expr $expiryDateOfSignatureAsUnixTime - $now)
172 remainingPercentage
=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
174 # store the result of this single RRSIG's check
175 if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
176 maxRemainingLifetime
=$remainingLifetimeOfSignature
177 maxRemainingPercentage
=$remainingPercentage
179 done <<< "$rrsigEntries"
185 # determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
186 if [[ $maxRemainingPercentage -lt $critical ]]; then
187 echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
189 elif [[ $remainingPercentage -lt $warning ]]; then
190 echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
193 echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"