diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-10 10:44:24 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-12 00:24:46 +0200 |
commit | 97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch) | |
tree | 4b7ea0d889a4c2c27bfec351693995f1fcba2bbb /flakes/private/monitoring/plugins | |
parent | 450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff) | |
download | Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip |
Add dnssec
Diffstat (limited to 'flakes/private/monitoring/plugins')
-rwxr-xr-x | flakes/private/monitoring/plugins/check_dnssec | 195 |
1 files changed, 195 insertions, 0 deletions
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec new file mode 100755 index 0000000..a6e408d --- /dev/null +++ b/flakes/private/monitoring/plugins/check_dnssec | |||
@@ -0,0 +1,195 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | # check_dnssec_expiry.sh | ||
4 | # | ||
5 | # Copyright 2017 by Mario Rimann <mario@rimann.org> | ||
6 | # Licensed under the permissive MIT license, see LICENSE.md | ||
7 | # | ||
8 | # Development of this script was partially sponsored by my | ||
9 | # employer internezzo, see http://www.internezzo.ch | ||
10 | # | ||
11 | # If this script helps you to make your work easier, please consider | ||
12 | # to give feedback or do something good, see https://rimann.org/support | ||
13 | |||
14 | usage() { | ||
15 | cat - >&2 << _EOT_ | ||
16 | usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>] | ||
17 | |||
18 | -z <zone> | ||
19 | specify zone to check | ||
20 | -w <critical %> | ||
21 | warning time left percentage | ||
22 | -c <critical %> | ||
23 | critical time left percentage | ||
24 | -r <resolver> | ||
25 | specify which resolver to use. | ||
26 | -f <always failing domain> | ||
27 | specify a domain that will always fail DNSSEC. | ||
28 | used to test if DNSSEC is supported in used tools. | ||
29 | -t <DNS record type to check> | ||
30 | specify a DNS record type for calculating the remaining lifetime. | ||
31 | For example SOA, A, etc. | ||
32 | _EOT_ | ||
33 | exit 255 | ||
34 | } | ||
35 | |||
36 | # Parse the input options | ||
37 | while getopts ":z:w:c:r:f:h:t:" opt; do | ||
38 | case $opt in | ||
39 | z) | ||
40 | zone=$OPTARG | ||
41 | ;; | ||
42 | w) | ||
43 | warning=$OPTARG | ||
44 | ;; | ||
45 | c) | ||
46 | critical=$OPTARG | ||
47 | ;; | ||
48 | r) | ||
49 | resolver=$OPTARG | ||
50 | ;; | ||
51 | f) | ||
52 | alwaysFailingDomain=$OPTARG | ||
53 | ;; | ||
54 | t) | ||
55 | recordType=$OPTARG | ||
56 | ;; | ||
57 | h) | ||
58 | usage ;; | ||
59 | esac | ||
60 | done | ||
61 | |||
62 | |||
63 | # Check if dig is available at all - fail hard if not | ||
64 | pathToDig=$( which dig ) | ||
65 | if [[ ! -e $pathToDig ]]; then | ||
66 | echo "No executable of dig found, cannot proceed without dig. Sorry!" | ||
67 | exit 1 | ||
68 | fi | ||
69 | |||
70 | # Check if we got a zone to validate - fail hard if not | ||
71 | if [[ -z $zone ]]; then | ||
72 | echo "Missing zone to test - please provide a zone via the -z parameter." | ||
73 | usage | ||
74 | exit 3 | ||
75 | fi | ||
76 | |||
77 | # Check if we got warning/critical percentage values, use defaults if not | ||
78 | if [[ -z $warning ]]; then | ||
79 | warning=20 | ||
80 | fi | ||
81 | if [[ -z $critical ]]; then | ||
82 | critical=10 | ||
83 | fi | ||
84 | |||
85 | |||
86 | # Use Google's 8.8.8.8 resolver as fallback if none is provided | ||
87 | if [[ -z $resolver ]]; then | ||
88 | resolver="8.8.8.8" | ||
89 | fi | ||
90 | |||
91 | if [[ -z $alwaysFailingDomain ]]; then | ||
92 | alwaysFailingDomain="dnssec-failed.org" | ||
93 | fi | ||
94 | |||
95 | # Use SOA record type as fallback | ||
96 | if [[ -z $recordType ]]; then | ||
97 | recordType="SOA" | ||
98 | fi | ||
99 | |||
100 | # Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith) | ||
101 | checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL") | ||
102 | if [[ -z $checkResolverDoesDnssecValidation ]]; then | ||
103 | echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now." | ||
104 | exit 1 | ||
105 | fi | ||
106 | |||
107 | # Check if the resolver delivers an answer for the domain to test | ||
108 | checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone) | ||
109 | if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then | ||
110 | |||
111 | checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd) | ||
112 | |||
113 | if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then | ||
114 | echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC." | ||
115 | exit 2 | ||
116 | else | ||
117 | echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active." | ||
118 | exit 2 | ||
119 | fi | ||
120 | fi | ||
121 | |||
122 | # Check if the domain is DNSSEC signed at all | ||
123 | # (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone) | ||
124 | checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short ) | ||
125 | if [[ -z $checkZoneItselfIsSignedAtAll ]]; then | ||
126 | echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)" | ||
127 | exit 1 | ||
128 | fi | ||
129 | |||
130 | |||
131 | # Check if there are multiple RRSIG responses and check them one after the other | ||
132 | now=$(date +"%s") | ||
133 | rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG ) | ||
134 | if [[ -z $rrsigEntries ]]; then | ||
135 | echo "CRITICAL: There is no RRSIG for the SOA of your zone." | ||
136 | exit 2 | ||
137 | else | ||
138 | while read -r rrsig; do | ||
139 | # Get the RRSIG entry and extract the date out of it | ||
140 | expiryDateOfSignature=$( echo $rrsig | awk '{print $9}') | ||
141 | checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}') | ||
142 | if [[ -z $checkValidityOfExpirationTimestamp ]]; then | ||
143 | echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please". | ||
144 | exit 3 | ||
145 | fi | ||
146 | |||
147 | inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}') | ||
148 | checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}') | ||
149 | if [[ -z $checkValidityOfInceptionTimestamp ]]; then | ||
150 | echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please". | ||
151 | exit 3 | ||
152 | fi | ||
153 | |||
154 | # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards | ||
155 | expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00" | ||
156 | expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null ) | ||
157 | if [[ $? -ne 0 ]]; then | ||
158 | # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic... | ||
159 | expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" ) | ||
160 | fi | ||
161 | inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00" | ||
162 | inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null ) | ||
163 | if [[ $? -ne 0 ]]; then | ||
164 | # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic... | ||
165 | inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" ) | ||
166 | fi | ||
167 | |||
168 | |||
169 | # calculate the remaining lifetime of the signature | ||
170 | totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime) | ||
171 | remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now) | ||
172 | remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime) | ||
173 | |||
174 | # store the result of this single RRSIG's check | ||
175 | if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then | ||
176 | maxRemainingLifetime=$remainingLifetimeOfSignature | ||
177 | maxRemainingPercentage=$remainingPercentage | ||
178 | fi | ||
179 | done <<< "$rrsigEntries" | ||
180 | fi | ||
181 | |||
182 | |||
183 | |||
184 | |||
185 | # determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided | ||
186 | if [[ $maxRemainingPercentage -lt $critical ]]; then | ||
187 | echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | ||
188 | exit 2 | ||
189 | elif [[ $remainingPercentage -lt $warning ]]; then | ||
190 | echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | ||
191 | exit 1 | ||
192 | else | ||
193 | echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | ||
194 | exit 0 | ||
195 | fi | ||