use drill instead of dig (dig is buggy)

DE-IBH · Oct 31, 2014 · 62f9eaa · 62f9eaa
1 parent 5e0256b
commit 62f9eaa
Showing 1 changed file with 12 additions and 14 deletions.
diff --git a/local/dnssec.sh b/local/dnssec.sh
@@ -1,12 +1,12 @@
 #!/bin/bash
 
-# A simple local check for check_mk to validate the DNSSEC trust chain using the dig +sigchase feature
+# A simple local check for check_mk to validate the DNSSEC trust chain using drill
 
 # Install instructions:
-# - Install dig:
-#   apt-get install dnsutils
-# - Generate the trusted-key file for dig:
-#   dig . dnskey | grep 257 > /etc/trusted-key.key
+# - Install drill:
+#   apt-get install ldnsutils
+# - Generate the trusted-key file for drill:
+#   drill DNSKEY . | grep "257 "> /etc/trusted-key.key
 # - Place this file in your agent's local check directory (/usr/lib/check_mk_agent/local)
 # - Adjust the ZONES array below
 
@@ -26,7 +26,9 @@
 # Copyright 2014 by Frederik Kriewitz <[email protected]>.
 
 # array with zones to check
+#ZONES=("dnssec-failed.org")
 ZONES=()
+KEYFILE="/etc/trusted-key.key"
 
 # add any local bind signed zones
 for FILE in /var/cache/bind/*.zone.signed
@@ -39,18 +41,14 @@ done
 # check the zones
 for ZONE in ${ZONES[@]}
 do
-	CHASE=$(dig +topdown +sigchase $ZONE)
-	RESULT_TEXT=$(echo "$CHASE" | grep "^\;\;" | grep -Fv 'cleanandgo' | tail -n 1)
-	RESULT=$(echo "$RESULT_TEXT" | awk '{print $NF}')
-
-	if [ "$RESULT" == "SUCCESS" ];
-	then
-		STATUS=0
-	elif [ "$RESULT" == "FAILED" ];
+	CHASE=$(drill -k "$KEYFILE" -TD $ZONE)
+	RESULT_TEXT=$(echo "$CHASE" | awk '/^\[[^T]\]/' ORS=' ')
+	if [ -n "$RESULT_TEXT" ];
 	then
 		STATUS=2
 	else
-		STATUS=3
+		RESULT_TEXT=$(echo "$CHASE" | grep "^\[" | tail -n 1)
+		STATUS=0
 	fi
 
 	echo  "$STATUS dnssec_$ZONE - ${RESULT_TEXT/;; /}"