[master] new dnssec-coverage options

3702. [func] 'dnssec-coverage -l' option specifies a length of time to check for coverage; events further into the future are ignored. 'dnssec-coverage -z' checks only ZSK events, and 'dnssec-coverage -k' checks only KSK events. (Thanks to Peter Palfrader.) [RT #35168]
2025-10-13 13:58:37 +00:00 · 2014-01-10 17:53:21 -08:00
parent 990d0e893f
commit 7d2b185f16
5 changed files with 158 additions and 25 deletions
--- a/bin/python/dnssec-coverage.py.in
+++ b/bin/python/dnssec-coverage.py.in
@@ -15,6 +15,10 @@
 # PERFORMANCE OF THIS SOFTWARE.
 ############################################################################

+# changes 2014-01-08, Peter Palfrader:
+#  - support checking only X days into the future.
+#  - support checking only KSK keys or only ZSK keys.
+
 import argparse
 import os
 import glob
@@ -506,6 +510,13 @@ def check_events(eventsList, ksk):
        eventgroups.append(eventgroup)

    for eventgroup in eventgroups:
+        if (args.checklimit and
+            calendar.timegm(eventgroup[0].when) > args.checklimit):
+            print("Ignoring events after %s" %
+                  time.strftime("%a %b %d %H:%M:%S UTC %Y", 
+                      time.gmtime(args.checklimit)))
+            return True
+
        (active, published) = \
           process_events(eventgroup, active, published)

@@ -548,21 +559,23 @@ def check_zones(eventsList):

        zonesfound = True
        for alg in eventsList[zone]:
-            vspace()
-            print("Checking scheduled KSK events for zone %s, algorithm %s..." %
-                   (zone, algname(alg)))
-            if not check_events(eventsList[zone][alg], True):
-                foundprob = True
-            else:
-                print ("No errors found")
+            if not args.no_ksk:
+                vspace()
+                print("Checking scheduled KSK events for zone %s, algorithm %s..." %
+                       (zone, algname(alg)))
+                if not check_events(eventsList[zone][alg], True):
+                    foundprob = True
+                else:
+                    print ("No errors found")

-            vspace()
-            print("Checking scheduled ZSK events for zone %s, algorithm %s..." %
-                  (zone, algname(alg)))
-            if not check_events(eventsList[zone][alg], False):
-                foundprob = True
-            else:
-                print ("No errors found")
+            if not args.no_zsk:
+                vspace()
+                print("Checking scheduled ZSK events for zone %s, algorithm %s..." %
+                      (zone, algname(alg)))
+                if not check_events(eventsList[zone][alg], False):
+                    foundprob = True
+                else:
+                    print ("No errors found")

    if not zonesfound:
        print("ERROR: No key events found for %s in '%s'" %
@@ -637,17 +650,28 @@ def parse_args():
                        help='zone master file', metavar='file')
    parser.add_argument('-m', dest='maxttl', type=str,
                        help='the longest TTL in the zone(s)',
-                        metavar='int')
+                        metavar='time')
    parser.add_argument('-d', dest='keyttl', type=str,
-                        help='the DNSKEY TTL', metavar='int')
+                        help='the DNSKEY TTL', metavar='time')
    parser.add_argument('-r', dest='resign', default='1944000', 
                        type=int, help='the RRSIG refresh interval '
                                       'in seconds [default: 22.5 days]',
-                        metavar='int')
+                        metavar='time')
    parser.add_argument('-c', dest='compilezone',
                        default=compilezone, type=str,
                        help='path to \'named-compilezone\'',
                        metavar='path')
+    parser.add_argument('-l', dest='checklimit',
+                        type=str, default='0',
+                        help='Length of time to check for '
+                             'DNSSEC coverage [default: 0 (unlimited)]',
+                        metavar='time')
+    parser.add_argument('-z', dest='no_ksk',
+                        action='store_true', default=False,
+                        help='Only check zone-signing keys (ZSKs)')
+    parser.add_argument('-k', dest='no_zsk',
+                        action='store_true', default=False,
+                        help='Only check key-signing keys (KSKs)')
    parser.add_argument('-D', '--debug', dest='debug_mode',
                        action='store_true', default=False,
                        help='Turn on debugging output')
@@ -655,6 +679,10 @@ def parse_args():

    args = parser.parse_args()

+    if args.no_zsk and args.no_ksk:
+        print("ERROR: -z and -k cannot be used together.");
+        exit(1)
+
    # convert from time arguments to seconds
    try:
        if args.maxttl:
@@ -677,6 +705,17 @@ def parse_args():
    except:
        pass

+    try:
+        if args.checklimit:
+            lim = args.checklimit
+            r = parse_time(args.checklimit)
+            if r == 0:
+                args.checklimit = None
+            else:
+                args.checklimit = time.time() + r
+    except:
+        pass
+
    # if we've got the values we need from the command line, stop now
    if args.maxttl and args.keyttl:
        return