aboutsummaryrefslogtreecommitdiff
path: root/flakes/private/monitoring/plugins
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2023-10-10 10:44:24 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2023-10-12 00:24:46 +0200
commit97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch)
tree4b7ea0d889a4c2c27bfec351693995f1fcba2bbb /flakes/private/monitoring/plugins
parent450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff)
downloadNix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip
Add dnssec
Diffstat (limited to 'flakes/private/monitoring/plugins')
-rwxr-xr-xflakes/private/monitoring/plugins/check_dnssec195
1 files changed, 195 insertions, 0 deletions
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec
new file mode 100755
index 0000000..a6e408d
--- /dev/null
+++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
1#!/usr/bin/env bash
2
3# check_dnssec_expiry.sh
4#
5# Copyright 2017 by Mario Rimann <mario@rimann.org>
6# Licensed under the permissive MIT license, see LICENSE.md
7#
8# Development of this script was partially sponsored by my
9# employer internezzo, see http://www.internezzo.ch
10#
11# If this script helps you to make your work easier, please consider
12# to give feedback or do something good, see https://rimann.org/support
13
14usage() {
15 cat - >&2 << _EOT_
16usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
17
18 -z <zone>
19 specify zone to check
20 -w <critical %>
21 warning time left percentage
22 -c <critical %>
23 critical time left percentage
24 -r <resolver>
25 specify which resolver to use.
26 -f <always failing domain>
27 specify a domain that will always fail DNSSEC.
28 used to test if DNSSEC is supported in used tools.
29 -t <DNS record type to check>
30 specify a DNS record type for calculating the remaining lifetime.
31 For example SOA, A, etc.
32_EOT_
33 exit 255
34}
35
36# Parse the input options
37while getopts ":z:w:c:r:f:h:t:" opt; do
38 case $opt in
39 z)
40 zone=$OPTARG
41 ;;
42 w)
43 warning=$OPTARG
44 ;;
45 c)
46 critical=$OPTARG
47 ;;
48 r)
49 resolver=$OPTARG
50 ;;
51 f)
52 alwaysFailingDomain=$OPTARG
53 ;;
54 t)
55 recordType=$OPTARG
56 ;;
57 h)
58 usage ;;
59 esac
60done
61
62
63# Check if dig is available at all - fail hard if not
64pathToDig=$( which dig )
65if [[ ! -e $pathToDig ]]; then
66 echo "No executable of dig found, cannot proceed without dig. Sorry!"
67 exit 1
68fi
69
70# Check if we got a zone to validate - fail hard if not
71if [[ -z $zone ]]; then
72 echo "Missing zone to test - please provide a zone via the -z parameter."
73 usage
74 exit 3
75fi
76
77# Check if we got warning/critical percentage values, use defaults if not
78if [[ -z $warning ]]; then
79 warning=20
80fi
81if [[ -z $critical ]]; then
82 critical=10
83fi
84
85
86# Use Google's 8.8.8.8 resolver as fallback if none is provided
87if [[ -z $resolver ]]; then
88 resolver="8.8.8.8"
89fi
90
91if [[ -z $alwaysFailingDomain ]]; then
92 alwaysFailingDomain="dnssec-failed.org"
93fi
94
95# Use SOA record type as fallback
96if [[ -z $recordType ]]; then
97 recordType="SOA"
98fi
99
100# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
101checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
102if [[ -z $checkResolverDoesDnssecValidation ]]; then
103 echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
104 exit 1
105fi
106
107# Check if the resolver delivers an answer for the domain to test
108checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
109if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
110
111 checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
112
113 if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
114 echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
115 exit 2
116 else
117 echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
118 exit 2
119 fi
120fi
121
122# Check if the domain is DNSSEC signed at all
123# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
124checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
125if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
126 echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
127 exit 1
128fi
129
130
131# Check if there are multiple RRSIG responses and check them one after the other
132now=$(date +"%s")
133rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
134if [[ -z $rrsigEntries ]]; then
135 echo "CRITICAL: There is no RRSIG for the SOA of your zone."
136 exit 2
137else
138 while read -r rrsig; do
139 # Get the RRSIG entry and extract the date out of it
140 expiryDateOfSignature=$( echo $rrsig | awk '{print $9}')
141 checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
142 if [[ -z $checkValidityOfExpirationTimestamp ]]; then
143 echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
144 exit 3
145 fi
146
147 inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}')
148 checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
149 if [[ -z $checkValidityOfInceptionTimestamp ]]; then
150 echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
151 exit 3
152 fi
153
154 # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
155 expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
156 expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
157 if [[ $? -ne 0 ]]; then
158 # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
159 expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
160 fi
161 inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
162 inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
163 if [[ $? -ne 0 ]]; then
164 # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
165 inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
166 fi
167
168
169 # calculate the remaining lifetime of the signature
170 totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
171 remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
172 remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
173
174 # store the result of this single RRSIG's check
175 if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
176 maxRemainingLifetime=$remainingLifetimeOfSignature
177 maxRemainingPercentage=$remainingPercentage
178 fi
179 done <<< "$rrsigEntries"
180fi
181
182
183
184
185# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
186if [[ $maxRemainingPercentage -lt $critical ]]; then
187 echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
188 exit 2
189elif [[ $remainingPercentage -lt $warning ]]; then
190 echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
191 exit 1
192else
193 echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
194 exit 0
195fi