equal
deleted
inserted
replaced
10 |
10 |
11 check_dns-serial [options] DOMAINS |
11 check_dns-serial [options] DOMAINS |
12 |
12 |
13 =head1 DESCRIPTION |
13 =head1 DESCRIPTION |
14 |
14 |
15 B<check_dns-serial> is designed as a Icinga/Nagios plugin to verify that |
15 B<check_dns-delegation> is designed as a Icinga/Nagios plugin to verify that |
16 all responsible NS have the same serial number for their zones. |
16 all responsible NS know about the delegation. |
17 |
17 |
18 Domains we are not responsible for are marked as B<critical>. |
18 Each domain has to survive the following tests: |
19 Mismatching serial numbers are marked as B<critical>. |
19 |
20 |
20 =over |
21 The list of domains may consist of the following items: |
21 |
|
22 =item The I<reference> server needs to be authoritive. |
|
23 |
|
24 =item The NS records known outside (checked with some public DNS service) |
|
25 need to match the NS records obtained from the reference server. |
|
26 |
|
27 =item The serial numbers obtained from the NS servers B<and> the |
|
28 reference server need to match. All servers need to be authoritive! |
|
29 |
|
30 =back |
|
31 |
|
32 The I<DOMAINS> are passed a a list in one of the following forms: |
22 |
33 |
23 =over |
34 =over |
24 |
35 |
25 =item I<domain> |
36 =item I<domain> |
26 |
37 |
88 |
99 |
89 foreach my $src (@sources) { |
100 foreach my $src (@sources) { |
90 |
101 |
91 if ($src =~ m{^(?:(/.*)|file://(/.*))}) { |
102 if ($src =~ m{^(?:(/.*)|file://(/.*))}) { |
92 open(my $f, '<', $1) or die "$0: Can't open $1 for reading: $!\n"; |
103 open(my $f, '<', $1) or die "$0: Can't open $1 for reading: $!\n"; |
93 push @domains, map { /^\s*(\S+)\s*/ } <$f>; |
104 push @domains, map { /^\s*(\S+)\s*/ } grep { !/^\s*#/ } <$f>; |
94 next; |
105 next; |
95 } |
106 } |
96 |
107 |
97 if ($src =~ m{^local:}) { |
108 if ($src =~ m{^local:}) { |
98 push @domains, get_local_zones; |
109 push @domains, get_local_zones; |
157 my ($domain, $reference) = @_; |
168 my ($domain, $reference) = @_; |
158 |
169 |
159 my (@errs, @ns); |
170 my (@errs, @ns); |
160 my @our = eval { sort +ns($domain, nameservers => [$reference], aa => 1) }; |
171 my @our = eval { sort +ns($domain, nameservers => [$reference], aa => 1) }; |
161 push @errs, $@ if $@; |
172 push @errs, $@ if $@; |
|
173 |
162 my @their = eval { sort +ns($domain) }; |
174 my @their = eval { sort +ns($domain) }; |
163 push @errs, $@ if $@; |
175 push @errs, $@ if $@; |
164 |
176 |
165 if (@errs) { |
177 if (@errs) { |
166 chomp @errs; |
178 chomp @errs; |
177 return @ns; |
189 return @ns; |
178 } |
190 } |
179 |
191 |
180 sub serial_ok { |
192 sub serial_ok { |
181 my ($domain, @ns) = @_; |
193 my ($domain, @ns) = @_; |
182 my @serials = map { my $s = serial $domain, nameservers => [$_]; "$s\@$_" } @ns; |
194 my @serials = map { my $s = serial $domain, nameservers => [$_], aa => 1; "$s\@$_" } @ns; |
183 ### @serials |
195 ### @serials |
184 |
196 |
185 if (uniq(map { /(\d+)/ } @serials) != 1) { |
197 if (uniq(map { /(\d+)/ } @serials) != 1) { |
186 die "serials do not match: @serials\n"; |
198 die "serials do not match: @serials\n"; |
187 } |
199 } |
217 print STDERR "$domain " if $opt_progress; |
229 print STDERR "$domain " if $opt_progress; |
218 |
230 |
219 my @ns = eval { ns_ok($domain, $opt_reference) }; |
231 my @ns = eval { ns_ok($domain, $opt_reference) }; |
220 if ($@) { |
232 if ($@) { |
221 $CRITICAL{$domain} = $@; |
233 $CRITICAL{$domain} = $@; |
222 say STDERR 'ns not ok' if $opt_progress; |
234 say STDERR 'fail(ns)' if $opt_progress; |
223 next; |
235 next; |
224 } |
236 } |
225 print STDERR 'ok(ns) ' if $opt_progress; |
237 print STDERR 'ok(ns) ' if $opt_progress; |
226 |
238 |
227 my @serial = eval { serial_ok($domain, @ns, $opt_reference) }; |
239 my @serial = eval { serial_ok($domain, @ns, $opt_reference) }; |
228 if ($@) { |
240 if ($@) { |
229 $CRITICAL{$domain} = $@; |
241 $CRITICAL{$domain} = $@; |
230 say STDERR 'serial not ok' if $opt_progress; |
242 say STDERR 'fail(serial)' if $opt_progress; |
231 next; |
243 next; |
232 } |
244 } |
233 say STDERR 'ok(serial)' if $opt_progress; |
245 say STDERR 'ok(serial)' if $opt_progress; |
234 push @OK, $domain; |
246 push @OK, $domain; |
235 |
247 |
264 |
276 |
265 =item B<--progress> |
277 =item B<--progress> |
266 |
278 |
267 Tell about the progress. (default: on if input is connected to a terminal) |
279 Tell about the progress. (default: on if input is connected to a terminal) |
268 |
280 |
|
281 =item B<--additional> |
|
282 |
|
283 Domains from this list are |
|
284 |
269 =back |
285 =back |
270 |
286 |
271 =head1 PERMISSIONS |
287 =head1 PERMISSIONS |
272 |
288 |
273 No special permissions are necessary, except for the domain-list URL F<local:>, since |
289 No special permissions are necessary, except for the domain-list URL F<local:>, since |