diff -r e502f4d6e7a2 -r 8da9e81acf82 plugins/check_dns-delegation --- a/plugins/check_dns-delegation Tue Jan 06 15:14:23 2015 +0100 +++ b/plugins/check_dns-delegation Tue Jan 06 21:42:41 2015 +0100 @@ -12,13 +12,24 @@ =head1 DESCRIPTION -B is designed as a Icinga/Nagios plugin to verify that -all responsible NS have the same serial number for their zones. +B is designed as a Icinga/Nagios plugin to verify that +all responsible NS know about the delegation. + +Each domain has to survive the following tests: + +=over + +=item The I server needs to be authoritive. -Domains we are not responsible for are marked as B. -Mismatching serial numbers are marked as B. +=item The NS records known outside (checked with some public DNS service) +need to match the NS records obtained from the reference server. -The list of domains may consist of the following items: +=item The serial numbers obtained from the NS servers B the +reference server need to match. All servers need to be authoritive! + +=back + +The I are passed a a list in one of the following forms: =over @@ -90,7 +101,7 @@ if ($src =~ m{^(?:(/.*)|file://(/.*))}) { open(my $f, '<', $1) or die "$0: Can't open $1 for reading: $!\n"; - push @domains, map { /^\s*(\S+)\s*/ } <$f>; + push @domains, map { /^\s*(\S+)\s*/ } grep { !/^\s*#/ } <$f>; next; } @@ -159,6 +170,7 @@ my (@errs, @ns); my @our = eval { sort +ns($domain, nameservers => [$reference], aa => 1) }; push @errs, $@ if $@; + my @their = eval { sort +ns($domain) }; push @errs, $@ if $@; @@ -179,7 +191,7 @@ sub serial_ok { my ($domain, @ns) = @_; - my @serials = map { my $s = serial $domain, nameservers => [$_]; "$s\@$_" } @ns; + my @serials = map { my $s = serial $domain, nameservers => [$_], aa => 1; "$s\@$_" } @ns; ### @serials if (uniq(map { /(\d+)/ } @serials) != 1) { @@ -219,7 +231,7 @@ my @ns = eval { ns_ok($domain, $opt_reference) }; if ($@) { $CRITICAL{$domain} = $@; - say STDERR 'ns not ok' if $opt_progress; + say STDERR 'fail(ns)' if $opt_progress; next; } print STDERR 'ok(ns) ' if $opt_progress; @@ -227,7 +239,7 @@ my @serial = eval { serial_ok($domain, @ns, $opt_reference) }; if ($@) { $CRITICAL{$domain} = $@; - say STDERR 'serial not ok' if $opt_progress; + say STDERR 'fail(serial)' if $opt_progress; next; } say STDERR 'ok(serial)' if $opt_progress; @@ -266,6 +278,10 @@ Tell about the progress. (default: on if input is connected to a terminal) +=item B<--additional> + +Domains from this list are + =back =head1 PERMISSIONS