# HG changeset patch # User Heiko Schlittermann # Date 1499436057 -7200 # Node ID 62b17372f2d87046f05cd3a626eb5de2e8cd8e59 # Parent a9a9b00be37fa4b006f4607a75f1f91cd916169d Moved to git.schlittermann.de/ius/nagios-plugin-dns-delegation diff -r a9a9b00be37f -r 62b17372f2d8 Build.PL --- a/Build.PL Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,42 +0,0 @@ -use 5.010; -use strict; -use warnings; -use Module::Build; - -my $builder = Module::Build->new( - dist_name => 'nagios-plugin-dns-delegation', - dist_version_from => 'lib/Nagios/Check/DNS/delegation.pm', - dist_abstract => 'nagios check for dns serial numbers', -# PL_files => { -# 'plugins/check_dns-delegation.PL' => -# 'nagios/plugins/ius/check_dns-delegation' -# }, - checks_files => { - 'bin/check_dns-delegation' => - 'nagios/plugins/ius/check_dns-delegation', - }, - bin_scripts => [glob 'bin/*'], - license => 'perl', - requires => { - perl => '5.14.2', - 'Net::DNS' => '0.66', - }, - test_requires => { - 'Test::Exception' => '0.32', - }, -); - -if (not defined $builder->install_path('nagios')) { - my $base = do { - if ($builder->installdirs eq 'vendor') { '/usr/lib' } - elsif (defined $builder->install_base) { $builder->install_base } - else { '/usr/local/lib' } - }; - $builder->install_path(nagios => "$base/nagios"); -} - -$builder->bindoc_dirs([@{ $builder->bindoc_dirs }, 'blib/nagios/plugins/ius']); -$builder->add_build_element('checks'); - -# finally -$builder->create_build_script; diff -r a9a9b00be37f -r 62b17372f2d8 MANIFEST --- a/MANIFEST Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,7 +0,0 @@ -.hgignore -bin/check_dns-delegation -Build.PL -lib/Nagios/Check/DNS/delegation.pm -MANIFEST This list of files -t/10-minimal.t -t/20-serial-aa.t diff -r a9a9b00be37f -r 62b17372f2d8 MANIFEST.SKIP --- a/MANIFEST.SKIP Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,75 +0,0 @@ - -#!start included /home/heiko/perl5/lib/perl5/ExtUtils/MANIFEST.SKIP -# Avoid version control files. -\bRCS\b -\bCVS\b -\bSCCS\b -,v$ -\B\.svn\b -\B\.git\b -\B\.hg\b -\B\.gitignore\b -\b_darcs\b -\B\.cvsignore$ - -# Avoid VMS specific MakeMaker generated files -\bDescrip.MMS$ -\bDESCRIP.MMS$ -\bdescrip.mms$ - -# Avoid Makemaker generated and utility files. -\bMANIFEST\.bak -\bMakefile$ -\bblib/ -\bMakeMaker-\d -\bpm_to_blib\.ts$ -\bpm_to_blib$ -\bblibdirs\.ts$ # 6.18 through 6.25 generated this - -# Avoid Module::Build generated and utility files. -\bBuild$ -\b_build/ -\bBuild.bat$ -\bBuild.COM$ -\bBUILD.COM$ -\bbuild.com$ - -# Avoid temp and backup files. -~$ -\.old$ -\#$ -\b\.# -\.bak$ -\.tmp$ -\.# -\.rej$ - -# Avoid OS-specific files/dirs -# Mac OSX metadata -\B\.DS_Store -# Mac OSX SMB mount metadata files -\B\._ - -# Avoid Devel::Cover and Devel::CoverX::Covered files. -\bcover_db\b -\bcovered\b - -# Avoid MYMETA files -^MYMETA\. -#!end included /home/heiko/perl5/lib/perl5/ExtUtils/MANIFEST.SKIP - -# Avoid configuration metadata file -^MYMETA\. - -# Avoid Module::Build generated and utility files. -\bBuild$ -\bBuild.bat$ -\b_build -\bBuild.COM$ -\bBUILD.COM$ -\bbuild.com$ -^MANIFEST\.SKIP - -# Avoid archives of this distribution -\bnagios-plugin-dns-serial-[\d\.\_]+ -\bscratch\b diff -r a9a9b00be37f -r 62b17372f2d8 README --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/README Fri Jul 07 16:00:57 2017 +0200 @@ -0,0 +1,1 @@ +moved to git.schlittermann.de/ius/nagios-plugin-dns-delegation diff -r a9a9b00be37f -r 62b17372f2d8 bin/check_dns-delegation --- a/bin/check_dns-delegation Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,106 +0,0 @@ -#! /usr/bin/perl -# source: https://ssl.schlittermann.de/hg/ius/nagios/nagios-plugin-dns-serial -# © 2014 Heiko Schlittermann -use 5.014; -use strict; -use warnings; -use Nagios::Check::DNS::delegation qw(main); - -exit main @ARGV unless caller; - -__END__ - -=head1 NAME - - check_dns-serial - check the dns serial number from multiple sources - -=head1 SYNOPSIS - - check_dns-serial [options] DOMAINS - -=head1 DESCRIPTION - -B is designed as a Icinga/Nagios plugin to verify that -all responsible NS know about the delegation. - -Each domain has to pass the following tests: - -=over - -=item 1. - -The I server needs to be authoritive. - -=item 2. - -The NS records known outside (checked with some public DNS service) -need to match the NS records obtained from the reference server. - -=item 3. - -The serial numbers obtained from the NS servers B the -reference server need to match. All servers need to be authoritive! - -=back - -The I are passed a a list in one of the following forms: - -=over - -=item I - -A plain domain name. - -=item BI - -A file name containing the domains, line by line. - -=item B - -This item uses the output of C to get the list of -master/slave zones. The 127.in-addr.arpa, 168.192.in-addr.arpa, and -0.in-addr.arpa, and 127.in-addr.arpa zones are suppressed. - -The B domains are added automatically (See opt B). - -=back - -=cut - - -=head1 OPTIONS - -=over - -=item B<--reference>=I
- -The address of the reference server for our own domains (default: 127.0.0.1) - -=item B<--progress> - -Tell about the progress. (default: on if input is connected to a terminal) - -=item B<--override>=I - -This file lists NS names for domains. Instead of trusting our own server -we use the NS listed as the authoritive ones. This is primarly useful for -some of these domains that are held on the "pending" servers of joker. -(default: F) - -=back - -=head2 Format of the override file - - # comment - ... # comment - - -=head1 PERMISSIONS - -No special permissions are necessary, except for the domain-list URL F, since -the output of C is read. This may fail, depending on the configuration of -your bind. - -=cut - -# vim:sts=4 ts=8 sw=4 et: diff -r a9a9b00be37f -r 62b17372f2d8 debian/README.Debian --- a/debian/README.Debian Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,7 +0,0 @@ -nagios-plugin-dns-delegation for Debian ---------------------------------------- - -This package is somewhat tailored fo use schlittermann internet & unix -support - - -- Heiko Schlittermann (HS12-RIPE) Mon, 19 Jan 2015 16:13:10 +0100 diff -r a9a9b00be37f -r 62b17372f2d8 debian/README.source --- a/debian/README.source Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,10 +0,0 @@ -nagios-plugin-dns-delegation for Debian ---------------------------------------- - - - - - - -- Heiko Schlittermann (HS12-RIPE) Mon, 19 Jan 2015 16:13:10 +0100 - diff -r a9a9b00be37f -r 62b17372f2d8 debian/changelog --- a/debian/changelog Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,188 +0,0 @@ -nagios-plugin-dns-delegation (0.6) stable; urgency=medium - - * Fix nzf parser for comment lines - - -- Heiko Schlittermann (HS12-RIPE) Tue, 12 Jul 2016 16:09:55 +0200 - -nagios-plugin-dns-delegation (0.5) stable; urgency=medium - - * real fix for the postinst - - -- Heiko Schlittermann (HS12-RIPE) Thu, 15 Oct 2015 15:09:02 +0200 - -nagios-plugin-dns-delegation (0.4) stable; urgency=medium - - * fix postinst - - -- Heiko Schlittermann (HS12-RIPE) Thu, 15 Oct 2015 15:01:02 +0200 - -nagios-plugin-dns-delegation (0.3) stable; urgency=medium - - * added /etc/check_dns-delegation directory: - - -- Heiko Schlittermann (HS12-RIPE) Thu, 22 Jan 2015 15:20:25 +0100 - -nagios-plugin-dns-delegation (0.2) stable; urgency=medium - - * override file is now /etc/check_dns-delegation: - * added postinst script to create the override file - - -- Heiko Schlittermann (HS12-RIPE) Thu, 22 Jan 2015 15:05:40 +0100 - -nagios-plugin-dns-delegation (0.1) stable; urgency=medium - - * intial framework: - * works for NS check: Now we can compare the officially known name - servers (from googles public NS service) with the name servers a - reference system knows. - * added manpage and help: - * reference localhost: We use the local host as a reference for the - domains in question. - * added local: option for named-checkconf -p: - * check for AA flag: Make sure that we compare the authoritive answers - with the outside worlds view. - * fix: skip subdomains of 168.192.in-addr.arpa: - * Smart::Comments only if $ENV{DEBUG}: - * complete error description: - * working on pu for now.: Further testing expected. - * more on caching of resolver objects: - * serial is compared with reference server too: - * updated doc: - * more doc: - * Serial needs have the aa flag set!: - * override works: Now we read a override file (current default - /etc/bind/zones.override) in case our own information about NS is - not correct. Useful for these a.pending-verification.joker.com - domains. - * include the override domains and shuffle: The list of override - domains is considered as part of the domains that need to be - checked. - * Include the override domains into local:: If local: is selected as - source of domain names, the override file will be used as an - additional source too. - * zones.override automatically added to domainlist: If the local: - domainlist is used, the domains containted in the override file are - added automatically to the list of domains - * [merged]: - * moved the code to a perl module: Now the working parts are in - Nagios::Check::DNS::delegation.pm. It's not a package. Just a - detached module. - * doc added: - * Better message if there is no ns server known in public, but the - domain: - * added check for serial aa: Now we can ask the serial() to request aa - answers. - * check serial with overrides, not with local server: - * local: read from nzf: - * changed handling of overrides: No the overrides are considered to be - our reference source - * nzf does not contain quotations: - * better matching for optional quotes: - * updated manifest: - * all the example files for later reference: - * intial framework: - * works for NS check: Now we can compare the officially known name - servers (from googles public NS service) with the name servers a - reference system knows. - * added manpage and help: - * reference localhost: We use the local host as a reference for the - domains in question. - * added local: option for named-checkconf -p: - * check for AA flag: Make sure that we compare the authoritive answers - with the outside worlds view. - * fix: skip subdomains of 168.192.in-addr.arpa: - * Smart::Comments only if $ENV{DEBUG}: - * complete error description: - * working on pu for now.: Further testing expected. - * more on caching of resolver objects: - * serial is compared with reference server too: - * updated doc: - * more doc: - * Serial needs have the aa flag set!: - * override works: Now we read a override file (current default - /etc/bind/zones.override) in case our own information about NS is - not correct. Useful for these a.pending-verification.joker.com - domains. - * include the override domains and shuffle: The list of override - domains is considered as part of the domains that need to be - checked. - * Include the override domains into local:: If local: is selected as - source of domain names, the override file will be used as an - additional source too. - * zones.override automatically added to domainlist: If the local: - domainlist is used, the domains containted in the override file are - added automatically to the list of domains - * [merged]: - * moved the code to a perl module: Now the working parts are in - Nagios::Check::DNS::delegation.pm. It's not a package. Just a - detached module. - * doc added: - * Better message if there is no ns server known in public, but the - domain: - * added check for serial aa: Now we can ask the serial() to request aa - answers. - * check serial with overrides, not with local server: - * local: read from nzf: - * changed handling of overrides: No the overrides are considered to be - our reference source - * nzf does not contain quotations: - * better matching for optional quotes: - * updated manifest: - * all the example files for later reference: - * intial framework: - * works for NS check: Now we can compare the officially known name - servers (from googles public NS service) with the name servers a - reference system knows. - * added manpage and help: - * reference localhost: We use the local host as a reference for the - domains in question. - * added local: option for named-checkconf -p: - * check for AA flag: Make sure that we compare the authoritive answers - with the outside worlds view. - * fix: skip subdomains of 168.192.in-addr.arpa: - * Smart::Comments only if $ENV{DEBUG}: - * complete error description: - * working on pu for now.: Further testing expected. - * more on caching of resolver objects: - * serial is compared with reference server too: - * updated doc: - * more doc: - * Serial needs have the aa flag set!: - * override works: Now we read a override file (current default - /etc/bind/zones.override) in case our own information about NS is - not correct. Useful for these a.pending-verification.joker.com - domains. - * include the override domains and shuffle: The list of override - domains is considered as part of the domains that need to be - checked. - * Include the override domains into local:: If local: is selected as - source of domain names, the override file will be used as an - additional source too. - * zones.override automatically added to domainlist: If the local: - domainlist is used, the domains containted in the override file are - added automatically to the list of domains - * [merged]: - * moved the code to a perl module: Now the working parts are in - Nagios::Check::DNS::delegation.pm. It's not a package. Just a - detached module. - * doc added: - * Better message if there is no ns server known in public, but the - domain: - * added check for serial aa: Now we can ask the serial() to request aa - answers. - * check serial with overrides, not with local server: - * local: read from nzf: - * changed handling of overrides: No the overrides are considered to be - our reference source - * nzf does not contain quotations: - * better matching for optional quotes: - * updated manifest: - * all the example files for later reference: - - -- Heiko Schlittermann (HS12-RIPE) Wed, 21 Jan 2015 16:52:31 +0100 - -nagios-plugin-dns-delegation (0.0) unstable; urgency=low - - * Initial release - - -- Heiko Schlittermann (HS12-RIPE) Mon, 19 Jan 2015 16:13:10 +0100 diff -r a9a9b00be37f -r 62b17372f2d8 debian/compat --- a/debian/compat Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -9 diff -r a9a9b00be37f -r 62b17372f2d8 debian/control --- a/debian/control Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,17 +0,0 @@ -Source: nagios-plugin-dns-delegation -Section: admin -Priority: optional -Maintainer: Heiko Schlittermann (HS12-RIPE) -Build-Depends: debhelper (>= 9), dpkg-dev -Standards-Version: 3.9.6 -Vcs-Browser: https://ssl.schlittermann.de/hg/ius/nagios/nagios-plugin-dns-delegation/default -Homepage: http://schlittermann.de/ -#Vcs-Git: git://anonscm.debian.org/collab-maint/nagios-plugin-dns-delegation.git - -Package: nagios-plugin-dns-delegation -Architecture: all -Depends: ${misc:Depends}, ${perl:Depends}, libnet-dns-perl -Description: nagios plugin check_dns-delegation - This nagios plugin checks the consistency of the DNS delegation, it compares - the public view with a (local) reference server and compares the serial - numbers of the known nameservers. diff -r a9a9b00be37f -r 62b17372f2d8 debian/copyright --- a/debian/copyright Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,22 +0,0 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: nagios-plugin-dns-delegation -Source: https://ssl.schlittermann.de/hg/ius/nagios/nagios-plugin-dns-delegation - -Files: * -Copyright: 2015 Heiko Schlittermann (HS12-RIPE) -License: GPL-2+ - This package is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - . - This package is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - . - You should have received a copy of the GNU General Public License - along with this program. If not, see - . - On Debian systems, the complete text of the GNU General - Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". diff -r a9a9b00be37f -r 62b17372f2d8 debian/dirs --- a/debian/dirs Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -/etc/check_dns-delegation diff -r a9a9b00be37f -r 62b17372f2d8 debian/docs diff -r a9a9b00be37f -r 62b17372f2d8 debian/postinst --- a/debian/postinst Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,49 +0,0 @@ -#!/bin/sh -# postinst script for nagios-plugin-dns-delegation -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - - -case "$1" in - configure) - old=/etc/bind/zones.override - new=/etc/check_dns-delegation/override - if test -f $new; then - : - elif test -f $old; then - mv $old $new - else - touch $new - chmod a+r $new - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff -r a9a9b00be37f -r 62b17372f2d8 debian/rules --- a/debian/rules Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,34 +0,0 @@ -#!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -# output every command that modifies files on the build system. -DH_VERBOSE = 1 -export PERL5LIB= -export PERL_MM_OPT= -export PERL_MB_OPT= - -# see EXAMPLES in dpkg-buildflags(1) and read /usr/share/dpkg/* -DPKG_EXPORT_BUILDFLAGS = 1 -include /usr/share/dpkg/default.mk - -# see FEATURE AREAS in dpkg-buildflags(1) -#export DEB_BUILD_MAINT_OPTIONS = hardening=+all - -# see ENVIRONMENT in dpkg-buildflags(1) -# package maintainers to append CFLAGS -#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -# package maintainers to append LDFLAGS -#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed - - -# main packaging script based on dh7 syntax -%: - dh $@ - -# debmake generated override targets -# This is example for Cmake (See http://bugs.debian.org/641051 ) -#override_dh_auto_configure: -# dh_auto_configure -- \ -# -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) - -override_dh_installchangelogs: - dh_installchangelogs CHANGES diff -r a9a9b00be37f -r 62b17372f2d8 debian/source/options --- a/debian/source/options Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,2 +0,0 @@ ---extend-diff-ignore = "\b\.hg/" ---tar-ignore diff -r a9a9b00be37f -r 62b17372f2d8 lib/Nagios/Check/DNS/delegation.pm --- a/lib/Nagios/Check/DNS/delegation.pm Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,248 +0,0 @@ -use 5.014; -use strict; -use warnings; -use Getopt::Long qw(GetOptionsFromArray); -use Net::DNS; -use Pod::Usage; -use if $ENV{DEBUG} => 'Smart::Comments'; -use List::Util qw(shuffle); - -sub uniq { my %h; @h{@_} = (); return keys %h; } -my @extns = qw(8.8.8.8 8.8.4.4); - -package Net::DNS::Resolver { - use Storable qw(freeze); - sub new { - my $class = shift; - state %cache; - return $cache{freeze \@_} //= $class->SUPER::new(@_); - } -} - -sub read_override { # YEAH! :) black magic - local @ARGV = shift; - return map { (shift @$_, $_) } grep { @$_ > 1 } map { [split] } map { s/#.*//r } <>; -} - -# return a list of the zones known to the local -# bind -sub get_local_zones { - my @conf; - open(my $z, '-|') or do { - my $bind_directory; - open(my $x, '-|', 'named-checkconf -p'); - while (<$x>) { - /^\s*directory\s+"(.*)";/ and $bind_directory = $1; - print; - } - if (defined $bind_directory) { - local @ARGV = grep { -f } glob "$bind_directory/*nzf"; - print <> if @ARGV; - } - exit 0; - }; - while (<$z>) { - /^#/ and next; # comment - state $line; - s/^\s*(.*?)\s*$/$1 /; - chomp($line .= $_); # continuation line - if (/\A\}/) { # config item done - $line =~ s/\s$//; - push @conf, $line; - $line = ''; - } - } - return grep { - # FIXME: 172.0 .. 172.31 is missing - not /\b(?:0|127|10|168\.192|255)\.in-addr\.arpa$/ and - not /^localhost$/; - } map { /zone\s"?(\S+?)"?\s/ } grep { /type (?:master|slave)/ } @conf; -} - -sub get_domains { - my %arg = @_; - my @sources = @{ $arg{sources} }; - my @domains = (); - - foreach my $src (@sources) { - - if ($src =~ m{^(?:(/.*)|file://(/.*))}) { - open(my $f, '<', $1) or die "$0: Can't open $1 for reading: $!\n"; - push @domains, map { /^\s*(\S+)\s*/ } grep { !/^\s*#/ } <$f>; - next; - } - - if ($src =~ m{^local:}) { - push @domains, get_local_zones; - push @domains, @{$arg{local}} if $arg{local}; - next; - } - - push @domains, $src; - } - - return @domains; -} - -# return a list of "official" nameservers -sub ns { - my $domain = shift; - ### assert: @_ % 2 == 0 - my %resflags = (nameservers => \@extns, @_); - my $aa = delete $resflags{aa}; - my $nameservers = join ',' => @{$resflags{nameservers}}; - my @ns; - - my $r = Net::DNS::Resolver->new(%resflags); - my $q; - - for (my $i = 3; $i; --$i) { - $q = $r->query($domain, 'NS') and last; - } - die $r->errorstring . "\@$nameservers\n" if not $q; - - die "no aa(NS) \@$nameservers\n" if $aa and not $q->header->aa; - push @ns, map { $_->nsdname } grep { $_->type eq 'NS' } $q->answer; - - return sort @ns; -} - -sub serial { - my $domain = shift; - my %resflags = (nameservers => \@extns, @_); - my $aa = delete $resflags{aa}; - my $nameservers = join ',' => @{$resflags{nameservers}}; - - my $r = Net::DNS::Resolver->new(%resflags); - my $q; - - for (my $i = 3; $i; --$i) { - $q = $r->query($domain, 'SOA') and last; - } - die $r->errorstring, "\@$nameservers\n" if not $q; - die "no aa(SOA) \@$nameservers\n" if $aa and not $q->header->aa; - - return (map { $_->serial } grep { $_->type eq 'SOA' } $q->answer)[0]; -} - -# - the nameservers known from the ns records -# - from the primary master if this is not one of the -# NS for the zone -# - from a list of additional (hidden) servers -# -# OK - if the serial numbers are in sync -# WARNING - if there is some difference -# CRITICAL - if the serial cannot be found at one of the sources - -sub ns_ok { - my ($domain, $references, $is_override) = @_; - - my (@errs, @ns); - # obtain an authoritive list of nameservers from the reference server - my @our = eval { sort +ns($domain, nameservers => $references, aa => 1) }; - if (chomp $@) { - push @errs, $@; - push @our, $@; - } - - # obtain a list of nameservers from some public nameserver - my @public = eval { sort +ns($domain) }; - if (chomp $@) { - push @errs, $@; - push @public, $@; - } - - if (@errs or "@our" ne "@public") { - local $" = ', '; - die sprintf "NS differ (%s: @our) vs (public: @public)\n", - $is_override ? 'override' : 'our'; - - } - - @ns = uniq sort @our, @public; - ### @ns - return @ns; -} - -sub serial_ok { - my ($domain, $ns) = @_; - my @serials = map { my $s = serial $domain, nameservers => [$_], aa => 1; "$s\@$_" } @$ns; - ### @serials - - if (uniq(map { /(\d+)/ } @serials) != 1) { - die "serials do not match: @serials\n"; - } - - $serials[0] =~ /(\d+)/; - return $1; -} - -sub main { - my @argv = @_; - my $opt_reference = '127.0.0.1'; - my $opt_progress = -t; - my ($opt_override)= grep { -f } '/etc/check_dns-delegation/override'; - - - GetOptionsFromArray( - \@argv, - 'reference=s' => \$opt_reference, - 'progress!' => \$opt_progress, - 'override=s' => \$opt_override, - 'h|help' => sub { pod2usage(-verbose => 1, -exit => 0) }, - 'm|man' => sub { - pod2usage( - -verbose => 2, - -exit => 0, - -noperldoc => system('perldoc -V 2>/dev/null 1>&2') - ); - } - ) - and @argv - or pod2usage; - my %override = read_override($opt_override) if defined $opt_override; - my @domains = get_domains(sources => \@argv, local => [keys %override]); - - my (@OK, %CRITICAL); - foreach my $domain (shuffle @domains) { - state $all = @domains; - state $i++; - print STDERR "$domain ($i/$all) " if $opt_progress; - - my @ns = eval { ns_ok($domain, $override{$domain} ? $override{$domain} : [$opt_reference], - $override{$domain}) }; - if ($@) { - $CRITICAL{$domain} = $@; - say STDERR 'fail(ns)' if $opt_progress; - next; - } - print STDERR 'ok(ns) ' if $opt_progress; - - my @serial = eval { serial_ok($domain, [@ns, $override{$domain} ? () : $opt_reference]) }; - if ($@) { - $CRITICAL{$domain} = $@; - say STDERR 'fail(serial)' if $opt_progress; - next; - } - say STDERR 'ok(serial)' if $opt_progress; - push @OK, $domain; - - } - - # use DDP; - # p @OK; - # p %CRITICAL; - - if (my $n = keys %CRITICAL) { - print "CRITICAL: $n of " . @domains . " domains\n", - map { "$_: $CRITICAL{$_}" } sort keys %CRITICAL; - return 2; - } - - say 'OK: ' . @OK . ' domains checked'; - return 0; - -} - -1; -# vim:sts=4 ts=8 sw=4 et: diff -r a9a9b00be37f -r 62b17372f2d8 t/10-minimal.t --- a/t/10-minimal.t Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,99 +0,0 @@ -#! perl -use 5.014; -use strict; -use warnings; -use Test::More; -use File::Temp; -use Test::Exception; -use Storable qw(freeze); - -my $tmp = File::Temp->new; -$tmp->print(<<__); -# kommentar - a # more comment - b - c ns1 ns2 # comment - d -__ -$tmp->flush; - - -sub dig_serial { (split " ", `dig +short SOA @_`)[2] } -sub dig_ns { sort map { /(\S+?)\.?$/ } `dig +short NS @_` } - -# we require it, it's not a normal module -use blib; -use_ok('Nagios::Check::DNS::delegation') - or BAIL_OUT q{can't require the module}; - - -subtest 'tools' => sub { - is_deeply [sort +uniq(qw(a b a c))], [qw(a b c)] => 'uniq helper'; - - # get_domains should read a list of names, either from a file - # or from the arguments, or from a combination of both - is_deeply [get_domains(sources => [qw/a b c/])], [qw(a b c)] => 'domains from list'; - is_deeply [get_domains(sources => ["$tmp"])], [qw(a b c d)] => 'domains from file'; - is_deeply [get_domains(sources => ['a', "$tmp", 'z'])], [qw(a a b c d z)] => 'domains from args and file'; - - is_deeply {read_override("$tmp")}, { c => ['ns1', 'ns2'] }, 'override file'; - - my %google = ( nameservers => [qw/8.8.8.8 8.8.4.4/]); - my %level3 = ( nameservers => [qw/209.244.0.3 209.244.0.4/]); - - my $r1a = Net::DNS::Resolver->new(%google); - my $r1b = Net::DNS::Resolver->new(%google); - - my $r2a = Net::DNS::Resolver->new(%level3); - my $r2b = Net::DNS::Resolver->new(%level3); - - is $r1a, $r1b => 'same google'; - is $r2a, $r2b => 'same level3'; - isnt $r1a, $r2a => 'not same google/level3'; - - my (@a, @b); - @a = qw[8.8.8.1]; - my $r3a = Net::DNS::Resolver->new(nameservers => \@a); - @a = qw[8.8.4.2]; - my $r3b = Net::DNS::Resolver->new(nameservers => \@a); - isnt $r3a, $r3b => 'same ref, but not same object'; - - @b = @a; - is freeze(\@a), freeze(\@b) => 'frozen lists'; - my $r3c = Net::DNS::Resolver->new(nameservers => \@b); - is $r3b, $r3c => 'same servers, but not same ref'; - -}; - - - -for (qw(heise.de schlittermann.de google.com debian.org example.org)) { - - subtest $_ => sub { - - throws_ok { ns($_, nameservers => [qw/8.8.8.8/], aa => 1) } - qr/no aa/ => 'not authoritive @8.8.8.8'; - is_deeply [ns($_)], [dig_ns($_)] => "ns \@default"; - is_deeply [ns($_, nameservers => [qw/8.8.4.4/])], - [dig_ns('@8.8.4.4', $_)] => "ns \@8.8.4.4"; - is serial($_, nameservers => [qw/8.8.8.8/]), - dig_serial('@8.8.8.8', $_) => 'serial'; - }; - -} - -# ns for some domain we're not the master for, should be refused -throws_ok { ns('example.org', nameservers => [qw/f.nic.de a.nic.de/]) } -qr/^REFUSED/ => 'throws on refused query'; -throws_ok { ns('safasdfasdfrandomadsfefvddeas') } -qr/^NXDOMAIN/ => 'throws on nx domain'; - -ok ns_ok('schlittermann.de', ['212.80.235.130']) => 'ns_ok for schlittermann.de'; -throws_ok { ns_ok('heise.de', ['212.80.235.130']) } qr/no aa|differ|REFUSED/ => 'ns_ok for heise.de'; -throws_ok { ns_ok('heise.de', ['8.8.8.8']) } qr/no aa|differ|REFUSED/ => 'ns_ok for heise.de'; - -# serial - -done_testing(); - -# vim:sts=4 sw=4 ts=8: diff -r a9a9b00be37f -r 62b17372f2d8 t/20-serial-aa.t --- a/t/20-serial-aa.t Tue Jul 12 16:10:03 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,15 +0,0 @@ -#! perl -use strict; -use warnings; -use Test::More; -use Test::Exception; -use Nagios::Check::DNS::delegation; - -throws_ok { serial('schlittermann.de', - nameservers => [qw/8.8.8.8 8.8.4.4/], aa => 1) } - qr/no aa/ => 'throws exception on no aa'; - -ok serial('schlittermann.de', nameservers => [qw/212.80.235.130/]) - => 'aa for serial'; - -done_testing;