flakes/private/monitoring/plugins/check_dnssec

   1 #!/usr/bin/env bash
   2
   3 # check_dnssec_expiry.sh
   4 #
   5 # Copyright 2017 by Mario Rimann <mario@rimann.org>
   6 # Licensed under the permissive MIT license, see LICENSE.md
   7 #
   8 # Development of this script was partially sponsored by my
   9 # employer internezzo, see http://www.internezzo.ch
  10 #
  11 # If this script helps you to make your work easier, please consider
  12 # to give feedback or do something good, see https://rimann.org/support
  13
  14 usage() {
  15         cat - >&2 << _EOT_
  16 usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
  17
  18         -z <zone>
  19                 specify zone to check
  20         -w <critical %>
  21                 warning time left percentage
  22         -c <critical %>
  23                 critical time left percentage
  24         -r <resolver>
  25                 specify which resolver to use.
  26         -f <always failing domain>
  27                 specify a domain that will always fail DNSSEC.
  28                 used to test if DNSSEC is supported in used tools.
  29         -t <DNS record type to check>
  30                 specify a DNS record type for calculating the remaining lifetime.
  31                 For example SOA, A, etc.
  32 _EOT_
  33         exit 255
  34 }
  35
  36 # Parse the input options
  37 while getopts ":z:w:c:r:f:h:t:" opt; do
  38   case $opt in
  39     z)
  40       zone=$OPTARG
  41       ;;
  42     w)
  43       warning=$OPTARG
  44       ;;
  45     c)
  46       critical=$OPTARG
  47       ;;
  48     r)
  49       resolver=$OPTARG
  50       ;;
  51     f)
  52       alwaysFailingDomain=$OPTARG
  53       ;;
  54     t)
  55       recordType=$OPTARG
  56       ;;
  57     h)
  58       usage ;;
  59   esac
  60 done
  61
  62
  63 # Check if dig is available at all - fail hard if not
  64 pathToDig=$( which dig )
  65 if [[ ! -e $pathToDig ]]; then
  66         echo "No executable of dig found, cannot proceed without dig. Sorry!"
  67         exit 1
  68 fi
  69
  70 # Check if we got a zone to validate - fail hard if not
  71 if [[ -z $zone ]]; then
  72         echo "Missing zone to test - please provide a zone via the -z parameter."
  73         usage
  74         exit 3
  75 fi
  76
  77 # Check if we got warning/critical percentage values, use defaults if not
  78 if [[ -z $warning ]]; then
  79         warning=20
  80 fi
  81 if [[ -z $critical ]]; then
  82         critical=10
  83 fi
  84
  85
  86 # Use Google's 8.8.8.8 resolver as fallback if none is provided
  87 if [[ -z $resolver ]]; then
  88         resolver="8.8.8.8"
  89 fi
  90
  91 if [[ -z $alwaysFailingDomain ]]; then
  92         alwaysFailingDomain="dnssec-failed.org"
  93 fi
  94
  95 # Use SOA record type as fallback
  96 if [[ -z $recordType ]]; then
  97         recordType="SOA"
  98 fi
  99
 100 # Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
 101 checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
 102 if [[ -z $checkResolverDoesDnssecValidation ]]; then
 103         echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
 104         exit 1
 105 fi
 106
 107 # Check if the resolver delivers an answer for the domain to test
 108 checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
 109 if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
 110
 111         checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
 112
 113         if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
 114                 echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
 115                 exit 2
 116         else
 117                 echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
 118                 exit 2
 119         fi
 120 fi
 121
 122 # Check if the domain is DNSSEC signed at all
 123 # (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
 124 checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
 125 if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
 126         echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
 127         exit 1
 128 fi
 129
 130
 131 # Check if there are multiple RRSIG responses and check them one after the other
 132 now=$(date +"%s")
 133 rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
 134 if [[ -z $rrsigEntries ]]; then
 135         echo "CRITICAL: There is no RRSIG for the SOA of your zone."
 136         exit 2
 137 else
 138         while read -r rrsig; do
 139                 # Get the RRSIG entry and extract the date out of it
 140                 expiryDateOfSignature=$( echo $rrsig | awk '{print $9}')
 141                 checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
 142                 if [[ -z $checkValidityOfExpirationTimestamp ]]; then
 143                         echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
 144                         exit 3
 145                 fi
 146
 147                 inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}')
 148                 checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
 149                 if [[ -z $checkValidityOfInceptionTimestamp ]]; then
 150                         echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
 151                         exit 3
 152                 fi
 153
 154                 # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
 155                 expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
 156                 expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
 157                 if [[ $? -ne 0 ]]; then
 158                         # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
 159                         expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
 160                 fi
 161                 inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
 162                 inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
 163                 if [[ $? -ne 0 ]]; then
 164                         # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
 165                         inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
 166                 fi
 167
 168
 169                 # calculate the remaining lifetime of the signature
 170                 totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
 171                 remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
 172                 remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
 173
 174                 # store the result of this single RRSIG's check
 175                 if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
 176                         maxRemainingLifetime=$remainingLifetimeOfSignature
 177                         maxRemainingPercentage=$remainingPercentage
 178                 fi
 179         done <<< "$rrsigEntries"
 180 fi
 181
 182
 183
 184
 185 # determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
 186 if [[ $maxRemainingPercentage -lt $critical ]]; then
 187         echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
 188         exit 2
 189 elif [[ $remainingPercentage -lt $warning ]]; then
 190         echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
 191         exit 1
 192 else
 193         echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
 194         exit 0
 195 fi