# HG changeset patch # User heiko # Date 1420580418 -3600 # Node ID bb7b3ae76cc8debb7fb7480169803810bee6e668 # Parent 8da9e81acf82876207ce774172d058fa897291a1 override works Now we read a override file (current default /etc/bind/zones.override) in case our own information about NS is not correct. Useful for these a.pending-verification.joker.com domains. diff -r 8da9e81acf82 -r bb7b3ae76cc8 plugins/check_dns-delegation --- a/plugins/check_dns-delegation Tue Jan 06 21:42:41 2015 +0100 +++ b/plugins/check_dns-delegation Tue Jan 06 22:40:18 2015 +0100 @@ -71,6 +71,11 @@ } } +sub read_override { # YEAH! :) black magic + local @ARGV = shift; + return map { (shift $_, $_) } grep { @$_ > 1 } map { [split] } map { s/#.*//r } <>; +} + # return a list of the zones known to the local # bind sub get_local_zones { @@ -122,9 +127,12 @@ ### assert: @_ % 2 == 0 my %resflags = (nameservers => \@extns, @_); my $aa = delete $resflags{aa}; + my $override = delete $resflags{override}; my $nameservers = join ',' => @{$resflags{nameservers}}; my @ns; + return sort @{$override->{$domain}} if exists $override->{$domain}; + my $r = Net::DNS::Resolver->new(%resflags); my $q; @@ -165,10 +173,10 @@ # CRITICAL - if the serial cannot be found at one of the sources sub ns_ok { - my ($domain, $reference) = @_; + my ($domain, $reference, $override) = @_; my (@errs, @ns); - my @our = eval { sort +ns($domain, nameservers => [$reference], aa => 1) }; + my @our = eval { sort +ns($domain, nameservers => [$reference], aa => 1, override => $override) }; push @errs, $@ if $@; my @their = eval { sort +ns($domain) }; @@ -181,7 +189,8 @@ if ("@our" ne "@their") { local $" = ', '; - die "NS differ (our @our) vs (their @their)\n"; + die sprintf "NS differ (%s @our) vs (public @their)\n", + $override->{$domain} ? 'override' : 'our'; } @ns = uniq sort @our, @their; @@ -206,11 +215,14 @@ my @argv = @_; my $opt_reference = '127.0.0.1'; my $opt_progress = -t; + my ($opt_override)= grep { -f } '/etc/bind/zones.override'; + GetOptionsFromArray( \@argv, 'reference=s' => \$opt_reference, 'progress!' => \$opt_progress, + 'override=s' => \$opt_override, 'h|help' => sub { pod2usage(-verbose => 1, -exit => 0) }, 'm|man' => sub { pod2usage( @@ -223,12 +235,13 @@ and @argv or pod2usage; my @domains = get_domains(@argv); + my %override = read_override($opt_override) if defined $opt_override; my (@OK, %CRITICAL); foreach my $domain (@domains) { print STDERR "$domain " if $opt_progress; - my @ns = eval { ns_ok($domain, $opt_reference) }; + my @ns = eval { ns_ok($domain, $opt_reference, \%override) }; if ($@) { $CRITICAL{$domain} = $@; say STDERR 'fail(ns)' if $opt_progress; @@ -278,12 +291,20 @@ Tell about the progress. (default: on if input is connected to a terminal) -=item B<--additional> +=item B<--override>=I -Domains from this list are +This file lists NS names for domains. Instead of trusting our own server +we use the NS listed as the authoritive ones. This is primarly useful for +some of these domains that are held on the "pending" servers of joker. =back +=head2 Format + + # comment + ... # comment + + =head1 PERMISSIONS No special permissions are necessary, except for the domain-list URL F, since diff -r 8da9e81acf82 -r bb7b3ae76cc8 t/10-minimal.t --- a/t/10-minimal.t Tue Jan 06 21:42:41 2015 +0100 +++ b/t/10-minimal.t Tue Jan 06 22:40:18 2015 +0100 @@ -12,10 +12,12 @@ # kommentar a # more comment b - c + c ns1 ns2 # comment + d __ $tmp->flush; + sub dig_serial { (split " ", `dig +short SOA @_`)[2] } sub dig_ns { @@ -30,6 +32,15 @@ subtest 'tools' => sub { is_deeply [sort +uniq(qw(a b a c))], [qw(a b c)] => 'uniq helper'; + # get_domains should read a list of names, either from a file + # or from the arguments, or from a combination of both + is_deeply [get_domains(qw(a b c))], [qw(a b c)] => 'domains from list'; + is_deeply [get_domains("$tmp")], [qw(a b c d)] => 'domains from file'; + is_deeply [get_domains('a', "$tmp", 'z')], + [qw(a a b c d z)] => 'domains from args and file'; + + is_deeply {read_override("$tmp")}, { c => ['ns1', 'ns2'] }, 'override file'; + my %google = ( nameservers => [qw/8.8.8.8 8.8.4.4/]); my %level3 = ( nameservers => [qw/209.244.0.3 209.244.0.4/]); @@ -58,12 +69,12 @@ }; -# get_domains should read a list of names, either from a file -# or from the arguments, or from a combination of both -is_deeply [get_domains(qw(a b c))], [qw(a b c)] => 'domains from list'; -is_deeply [get_domains("$tmp")], [qw(a b c)] => 'domains from file'; -is_deeply [get_domains('a', "$tmp", 'z')], - [qw(a a b c z)] => 'domains from args and file'; +my %override = ( + 'example.com' => [qw(ns1.foobar.de ns2.foobar.com)], +); + +is_deeply [ns('example.com', nameservers => [qw/127.0.0.1/], override => \%override)], + $override{'example.com'} => 'override'; for (qw(heise.de schlittermann.de google.com debian.org example.org)) {