1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
|
#!/usr/bin/perl
#
# Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING
# file distributed with this software for details.
#
#
# expchk
#
# This script checks a keyrec file for expired zones.
#
use strict;
use Getopt::Long qw(:config no_ignore_case_always);
use Net::DNS::SEC::Tools::conf;
use Net::DNS::SEC::Tools::keyrec;
use Net::DNS::SEC::Tools::tooloptions;
#
# Version information.
#
my $NAME = "expchk";
my $VERS = "$NAME version: 1.13.0";
my $DTVERS = "DNSSEC-Tools Version: 1.13";
#######################################################################
#
# Time-related "constants" and variables.
#
my $DAY = (24 * 60 * 60); # Seconds in a day.
my $curtime; # Current time.
#######################################################################
#
# Data required for command line options.
#
my %options = (); # Filled option array.
my @opts =
(
"all", # Report state of all zones.
"expired", # Report expired zones. (default)
"valid", # Report unexpired zones.
"warn=i", # Warn on expire in N days.
"zone=s", # Only check specified zone keyrec.
"count", # Give count of expired/valid keyrecs.
"help", # Give a usage message and exit.
"Version", # Display the version number.
);
my $allflag = 0; # Report on all zones.
my $cntflag = 0; # Only report count of matching zones.
my $expiredflag = 0; # Report on expired zones.
my $validflag = 0; # Report on valid zones.
my $warndays = 0; # Warn on expire in N days.
my $zone = ""; # Only report on this zone
my $version = 0; # Display the version number.
my $count = 0; # Matching-zones count.
my @krnames; # List of keyrecs in the file.
my %zones = (); # Names of zone keyrecs.
main();
exit(0);
#-----------------------------------------------------------------------------
#
# Routine: main()
#
# Purpose: Staging area.
#
sub main()
{
my $argc = @ARGV; # Number of command line arguments.
erraction(ERR_EXIT);
#
# Get our options.
#
doopts();
#
# Check our watch.
#
$curtime = time();
#
# Read the keyrec files.
#
while($argc > 0)
{
getkeyrecs($ARGV[0]);
shift @ARGV;
$argc = @ARGV;
}
#
# Check the zones.
#
zonechecks();
print("$count matching zones\n") if($cntflag);
}
#-----------------------------------------------------------------------------
#
# Routine: doopts()
#
# Purpose: This routine deals with the command's options. It checks
# several special conditions:
#
# - A warning is given if -warn is given only with
# -expired.
#
# - If -all is given, set internal variables to
# indicate the both valid and expired zones will
# be checked.
#
sub doopts
{
my $argc; # Number of command line arguments.
#
# Check our options.
#
GetOptions(\%options,@opts) || usage();
$allflag = $options{'all'};
$expiredflag = $options{'expired'};
$validflag = $options{'valid'};
$warndays = $options{'warn'};
$zone = $options{'zone'};
$cntflag = $options{'count'};
version() if(defined($options{'Version'}));
usage() if(defined($options{'help'}));
#
# -warn is ignored when used only with -expire.
#
if(($warndays > 0) && $expiredflag && !$validflag)
{
print STDERR "warning: -warn is ignored when used with -expired\n";
$warndays = 0;
}
#
# If -all was given, set flags to indicate all data should be shown.
#
if($allflag)
{
$expiredflag = 1;
$validflag = 1;
}
#
# If a specific check wasn't requested, we'll default to
# an expired-zone check.
#
if(($expiredflag == 0) && ($validflag == 0))
{
$expiredflag = 1;
}
#
# Ensure we were given at least one keyrec file to peruse.
#
$argc = @ARGV;
usage() if($argc == 0);
}
#-----------------------------------------------------------------------------
#
# Routine: getkeyrecs()
#
# Purpose: Load the zone information from the specified keyrec files.
#
sub getkeyrecs
{
my $krfile = shift; # Keyrec file.
keyrec_read($krfile);
@krnames = keyrec_names();
#
# Go through each keyrec name, save off the records for each
# zone keyrec.
#
foreach my $krn (sort(@krnames))
{
my $kr; # Reference to keyrec.
my %keyrec; # Keyrec.
my $type; # Keyrec's type.
$kr = keyrec_fullrec($krn);
%keyrec = %$kr;
$type = $keyrec{'keyrec_type'};
$zones{$krn} = $kr if($type eq 'zone');
}
}
#-----------------------------------------------------------------------------
#
# Routine: zonechecks()
#
# Purpose: This routine checks if a zone is expired or not. The
# whole set of loaded zones are checked, unless the user
# specified a specific zone to check.
#
sub zonechecks
{
my @fields = keyrec_keyfields(); # Valid key fields.
#
# Make sure the keyrec file had some zone keyrecs.
#
if(length(%zones) == 0)
{
print STDERR "no zones defined\n";
return;
}
#
# If a zone name wasn't given on the command line, we'll go through
# all the zones in the specified keyrec files. If a zone name was
# given, we'll only look at that zone.
#
if($zone eq "")
{
my $zonename; # Zone name for looping.
#
# Go through the whole set of zones.
#
foreach $zonename (sort(keys(%zones)))
{
checkexpire($zonename);
}
}
else
{
#
# Look at the user-specified zone, but only if it's actually
# defined in the keyrec files we were given.
#
if(defined($zones{$zone}))
{
checkexpire($zone);
}
else
{
print STDERR "zone $zone not defined in specified keyrec files\n";
}
}
}
#-----------------------------------------------------------------------------
#
# Routine: checkexpire()
#
# Purpose: This routine performs the actual expiration check. It
# compares the sign date and end-time from the zone's keyrec
# with the current timestamp. If the -warn flag was given,
# then an additional check is made for valid zones to find
# if the expiration date is within a user-specified number
# of days.
#
sub checkexpire
{
my $zonename = shift; # Zone name for looping.
my $zkrref; # Zone keyrec reference.
my %zkr; # Zone keyrec.
my $endtime; # Zone's endtime.
my $signsecs; # Zone's sign date.
my $secs; # Seconds in "+nnn" endtime.
my $days; # Days until zone expiration.
my $daystr = "days"; # Days string.
my $finaltime; # Time zone expires.
#
# Get the zone's times.
#
$zkrref = $zones{$zonename};
%zkr = %$zkrref;
$endtime = $zkr{'endtime'};
$signsecs = $zkr{'keyrec_signsecs'};
#
# Ensure that the keyrec's signing date is older than the
# current time.
#
if($signsecs > $curtime)
{
print STDERR "bizarre time: $zonename sign date more recent than current date\n";
return;
}
#
# Get the number of seconds until the keyrec's end time and
# calculate the keyrec's expiration date.
#
if($endtime =~ /^+/)
{
$endtime =~ /\+([0-9]+)/;
$secs = $1;
}
$finaltime = $signsecs + $secs;
#
# Give an appropriate message if the zone is valid or expired.
# The message will be given depending on the appropriate command
# line option having been given. We also might give a message
# if the zone is valid but close expiration.
#
if($finaltime <= $curtime)
{
if($expiredflag == 1)
{
$secs = $curtime - $finaltime;
$days = int($secs / $DAY);
$daystr = "day" if ($days == 1);
print "$zonename expired $days $daystr ago\n" if(!$cntflag);
$count++;
}
}
else
{
#
# If the zone has expired, we'll (maybe) give a message
# about it.
#
if($validflag == 1)
{
#
# Figure out how many days are left until expiration.
#
$secs = $finaltime - $curtime;
$days = int($secs / $DAY);
$daystr = "day" if ($days == 1);
#
# Check if the keyrec will soon expire.
#
if($days <= $warndays)
{
print "$zonename valid: expires in $days $daystr\n" if(!$cntflag);
}
else
{
print "$zonename valid\n" if(!$cntflag);
}
$count++;
}
}
}
#----------------------------------------------------------------------
#
# Routine: version()
#
# Purpose: Print the version number(s) and exit.
#
sub version
{
print STDERR "$VERS\n";
print STDERR "$DTVERS\n";
exit(0);
}
#-----------------------------------------------------------------------------
#
# Routine: usage()
#
sub usage
{
print STDERR "usage: expchk [options] <keyrec files>\n";
print STDERR "\toptions:\n";
print STDERR "\t\t-all show all zones\n";
print STDERR "\t\t-expired show expired zones\n";
print STDERR "\t\t-valid show valid zones\n";
print STDERR "\t\t-warn <num> warn if expiration in <num> days\n";
print STDERR "\t\t-zone <name> show the specified zone only\n";
print STDERR "\t\t-count only show the count of matching zones\n";
print STDERR "\t\t-help display this help message\n";
print STDERR "\t\t-Version display version number\n";
exit(0);
}
1;
##############################################################################
#
=pod
=head1 NAME
expchk - Check a I<keyrec> file for expired zones
=head1 SYNOPSIS
expchk -all -expired -valid -warn numdays -zone zonename -count -help keyrec_files
=head1 DESCRIPTION
B<expchk> checks a set of I<keyrec> files to determine if the zone I<keyrec>s
are valid or expired. The type of zones displayed depends on the options
chosen; if no options are given the expired zones will be listed.
=head1 OPTIONS
=over 4
=item B<-all>
Display expiration information on all zones, expired or valid, in the
specified I<keyrec> files.
=item B<-expired>
Display expiration information on the expired zones in the specified
I<keyrec> files. This is the default action.
=item B<-valid>
Display expiration information on the valid zones in the specified
I<keyrec> files.
=item B<-warn numdays>
A warning will be given for each valid zone that will expire in I<numdays>
days. This option has no effect on expired zones.
=item B<-zone zonename>
Display expiration information on the zone specified in I<zonename>.
=item B<-count>
Only the count of matching zones (valid or expired) will be given. If both
types of zones are selected, then the count will be the number of zones in the
specified I<keyrec> files.
=item B<-help>
Display a usage message.
=item B<-Version>
Displays the version information for B<expchk> and the DNSSEC-Tools package.
=back
=head1 COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved.
See the COPYING file included with the DNSSEC-Tools package for details.
=head1 AUTHOR
Wayne Morrison, tewok@tislabs.com
=head1 SEE ALSO
B<zonesigner(8)>
B<Net::DNS::SEC::Tools::keyrec.pm(3)>
=cut
|
