1 files changed, 195 insertions, 0 deletions
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec
new file mode 100755
index 0000000..a6e408d
--- /dev/null
+++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
+#!/usr/bin/env bash
+# check_dnssec_expiry.sh
+#
+# Copyright 2017 by Mario Rimann <mario@rimann.org>
+# Licensed under the permissive MIT license, see LICENSE.md
+#
+# Development of this script was partially sponsored by my
+# employer internezzo, see http://www.internezzo.ch
+#
+# If this script helps you to make your work easier, please consider
+# to give feedback or do something good, see https://rimann.org/support
+usage() {
+        cat - >&2 << _EOT_
+usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
+        -z <zone>
+                specify zone to check
+        -w <critical %>
+                warning time left percentage
+        -c <critical %>
+                critical time left percentage
+        -r <resolver>
+                specify which resolver to use.
+        -f <always failing domain>
+                specify a domain that will always fail DNSSEC.
+                used to test if DNSSEC is supported in used tools.
+        -t <DNS record type to check>
+                specify a DNS record type for calculating the remaining lifetime.
+                For example SOA, A, etc.
+_EOT_
+        exit 255
+}
+# Parse the input options
+while getopts ":z:w:c:r:f:h:t:" opt; do
+  case $opt in
+    z)
+      zone=$OPTARG
+      ;;
+    w)
+      warning=$OPTARG
+      ;;
+    c)
+      critical=$OPTARG
+      ;;
+    r)
+      resolver=$OPTARG
+      ;;
+    f)
+      alwaysFailingDomain=$OPTARG
+      ;;
+    t)
+      recordType=$OPTARG
+      ;;
+    h)
+      usage ;;
+  esac
+done
+# Check if dig is available at all - fail hard if not
+pathToDig=$( which dig )
+if [[ ! -e $pathToDig ]]; then
+        echo "No executable of dig found, cannot proceed without dig. Sorry!"
+        exit 1
+fi
+# Check if we got a zone to validate - fail hard if not
+if [[ -z $zone ]]; then
+        echo "Missing zone to test - please provide a zone via the -z parameter."
+        usage
+        exit 3
+fi
+# Check if we got warning/critical percentage values, use defaults if not
+if [[ -z $warning ]]; then
+        warning=20
+fi
+if [[ -z $critical ]]; then
+        critical=10
+fi
+# Use Google's 8.8.8.8 resolver as fallback if none is provided
+if [[ -z $resolver ]]; then
+        resolver="8.8.8.8"
+fi
+if [[ -z $alwaysFailingDomain ]]; then
+        alwaysFailingDomain="dnssec-failed.org"
+fi
+# Use SOA record type as fallback
+if [[ -z $recordType ]]; then
+        recordType="SOA"
+fi
+# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
+checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
+if [[ -z $checkResolverDoesDnssecValidation ]]; then
+        echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
+        exit 1
+fi
+# Check if the resolver delivers an answer for the domain to test
+checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
+if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
+        checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
+        if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
+                echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
+                exit 2
+        else
+                echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
+                exit 2
+        fi
+fi
+# Check if the domain is DNSSEC signed at all
+# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
+checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
+if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
+        echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
+        exit 1
+fi
+# Check if there are multiple RRSIG responses and check them one after the other
+now=$(date +"%s")
+rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
+if [[ -z $rrsigEntries ]]; then
+        echo "CRITICAL: There is no RRSIG for the SOA of your zone."
+        exit 2
+else
+        while read -r rrsig; do
+                # Get the RRSIG entry and extract the date out of it
+                expiryDateOfSignature=$( echo $rrsig | awk '{print $9}')
+                checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
+                if [[ -z $checkValidityOfExpirationTimestamp ]]; then
+                        echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
+                        exit 3
+                fi
+                inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}')
+                checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
+                if [[ -z $checkValidityOfInceptionTimestamp ]]; then
+                        echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
+                        exit 3
+                fi
+                # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
+                expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
+                expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
+                if [[ $? -ne 0 ]]; then
+                        # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
+                        expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
+                fi
+                inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
+                inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
+                if [[ $? -ne 0 ]]; then
+                        # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
+                        inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
+                fi
+                # calculate the remaining lifetime of the signature
+                totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
+                remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
+                remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
+                # store the result of this single RRSIG's check
+                if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
+                        maxRemainingLifetime=$remainingLifetimeOfSignature
+                        maxRemainingPercentage=$remainingPercentage
+                fi
+        done <<< "$rrsigEntries"
+fi
+# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
+if [[ $maxRemainingPercentage -lt $critical ]]; then
+        echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 2
+elif [[ $remainingPercentage -lt $warning ]]; then
+        echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 1
+else
+        echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 0
+fi

diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec new file mode 100755 index 0000000..a6e408d --- /dev/null +++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
	1	#!/usr/bin/env bash
	2
	3	# check_dnssec_expiry.sh
	4	#
	5	# Copyright 2017 by Mario Rimann <mario@rimann.org>
	6	# Licensed under the permissive MIT license, see LICENSE.md
	7	#
	8	# Development of this script was partially sponsored by my
	9	# employer internezzo, see http://www.internezzo.ch
	10	#
	11	# If this script helps you to make your work easier, please consider
	12	# to give feedback or do something good, see https://rimann.org/support
	13
	14	usage() {
	15	cat - >&2 << _EOT_
	16	usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
	17
	18	-z <zone>
	19	specify zone to check
	20	-w <critical %>
	21	warning time left percentage
	22	-c <critical %>
	23	critical time left percentage
	24	-r <resolver>
	25	specify which resolver to use.
	26	-f <always failing domain>
	27	specify a domain that will always fail DNSSEC.
	28	used to test if DNSSEC is supported in used tools.
	29	-t <DNS record type to check>
	30	specify a DNS record type for calculating the remaining lifetime.
	31	For example SOA, A, etc.
	32	_EOT_
	33	exit 255
	34	}
	35
	36	# Parse the input options
	37	while getopts ":z:w:c:r:f:h:t:" opt; do
	38	case $opt in
	39	z)
	40	zone=$OPTARG
	41	;;
	42	w)
	43	warning=$OPTARG
	44	;;
	45	c)
	46	critical=$OPTARG
	47	;;
	48	r)
	49	resolver=$OPTARG
	50	;;
	51	f)
	52	alwaysFailingDomain=$OPTARG
	53	;;
	54	t)
	55	recordType=$OPTARG
	56	;;
	57	h)
	58	usage ;;
	59	esac
	60	done
	61
	62
	63	# Check if dig is available at all - fail hard if not
	64	pathToDig=$( which dig )
	65	if [[ ! -e $pathToDig ]]; then
	66	echo "No executable of dig found, cannot proceed without dig. Sorry!"
	67	exit 1
	68	fi
	69
	70	# Check if we got a zone to validate - fail hard if not
	71	if [[ -z $zone ]]; then
	72	echo "Missing zone to test - please provide a zone via the -z parameter."
	73	usage
	74	exit 3
	75	fi
	76
	77	# Check if we got warning/critical percentage values, use defaults if not
	78	if [[ -z $warning ]]; then
	79	warning=20
	80	fi
	81	if [[ -z $critical ]]; then
	82	critical=10
	83	fi
	84
	85
	86	# Use Google's 8.8.8.8 resolver as fallback if none is provided
	87	if [[ -z $resolver ]]; then
	88	resolver="8.8.8.8"
	89	fi
	90
	91	if [[ -z $alwaysFailingDomain ]]; then
	92	alwaysFailingDomain="dnssec-failed.org"
	93	fi
	94
	95	# Use SOA record type as fallback
	96	if [[ -z $recordType ]]; then
	97	recordType="SOA"
	98	fi
	99
	100	# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
	101	checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} \| grep "opcode: QUERY" \| grep "status: SERVFAIL")
	102	if [[ -z $checkResolverDoesDnssecValidation ]]; then
	103	echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
	104	exit 1
	105	fi
	106
	107	# Check if the resolver delivers an answer for the domain to test
	108	checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
	109	if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
	110
	111	checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
	112
	113	if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
	114	echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
	115	exit 2
	116	else
	117	echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
	118	exit 2
	119	fi
	120	fi
	121
	122	# Check if the domain is DNSSEC signed at all
	123	# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
	124	checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
	125	if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
	126	echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
	127	exit 1
	128	fi
	129
	130
	131	# Check if there are multiple RRSIG responses and check them one after the other
	132	now=$(date +"%s")
	133	rrsigEntries=$( dig @$resolver $recordType $zone +dnssec \| grep RRSIG )
	134	if [[ -z $rrsigEntries ]]; then
	135	echo "CRITICAL: There is no RRSIG for the SOA of your zone."
	136	exit 2
	137	else
	138	while read -r rrsig; do
	139	# Get the RRSIG entry and extract the date out of it
	140	expiryDateOfSignature=$( echo $rrsig \| awk '{print $9}')
	141	checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature \| egrep '[0-9]{14}')
	142	if [[ -z $checkValidityOfExpirationTimestamp ]]; then
	143	echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
	144	exit 3
	145	fi
	146
	147	inceptionDateOfSignature=$( echo $rrsig \| awk '{print $10}')
	148	checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature \| egrep '[0-9]{14}')
	149	if [[ -z $checkValidityOfInceptionTimestamp ]]; then
	150	echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
	151	exit 3
	152	fi
	153
	154	# Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
	155	expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
	156	expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
	157	if [[ $? -ne 0 ]]; then
	158	# if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
	159	expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
	160	fi
	161	inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
	162	inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
	163	if [[ $? -ne 0 ]]; then
	164	# if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
	165	inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
	166	fi
	167
	168
	169	# calculate the remaining lifetime of the signature
	170	totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
	171	remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
	172	remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
	173
	174	# store the result of this single RRSIG's check
	175	if [[ -z $maxRemainingLifetime \|\| $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
	176	maxRemainingLifetime=$remainingLifetimeOfSignature
	177	maxRemainingPercentage=$remainingPercentage
	178	fi
	179	done <<< "$rrsigEntries"
	180	fi
	181
	182
	183
	184
	185	# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
	186	if [[ $maxRemainingPercentage -lt $critical ]]; then
	187	echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) \| sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
	188	exit 2
	189	elif [[ $remainingPercentage -lt $warning ]]; then
	190	echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) \| sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
	191	exit 1
	192	else
	193	echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) \| sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
	194	exit 0
	195	fi