Last active
November 12, 2018 22:53
-
-
Save cdcme/ff954f73ebabb43f1ca3f80363eb445a to your computer and use it in GitHub Desktop.
Gist for checking zone configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| checksigned() { | |
| ZONE=`basename "$1" .`. | |
| if [ "$ZONE" = .. ] | |
| then | |
| ZONE=. | |
| fi | |
| NAME=`basename "$ZONE" .` | |
| NO_NS=true | |
| NO_SEC=false | |
| OPTS="+cd +noall +answer +nocl +nottl" | |
| dig $OPTS NS "$ZONE" @publicdns.goog | { | |
| # Check each delegated name server | |
| while read DOMAIN TYPE NS | |
| do | |
| if [ "$DOMAIN $TYPE" != "$ZONE NS" ] | |
| then | |
| continue | |
| fi | |
| NO_NS=false | |
| if dig +cd +dnssec +norecurse DNSKEY "$ZONE" "@$NS" | | |
| egrep 'RRSIG[[:space:]]+DNSKEY' > /dev/null | |
| then | |
| echo "$NS has DNSSEC data for $NAME" | |
| else | |
| echo "$NS does not have DNSSEC data for $NAME" | |
| NO_SEC=true | |
| fi | |
| done | |
| if "$NO_NS" | |
| then | |
| echo "$NAME is not a delegated DNS zone" | |
| else | |
| if "$NO_SEC" | |
| then | |
| return | |
| fi | |
| MINTTL=`dig +cd SOA "$ZONE" @publicdns.goog | | |
| awk '/^[^;]/ && $4=="SOA" { print $11 }'` | |
| echo "Negative cache for $NAME expires after $MINTTL seconds." | |
| fi | |
| } | |
| } | |
| checksigned "$1" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment