#!/bin/bash
#
# Check if BIND delivers a DNSSEC-secured zone.
# It looks for KSK and ZSK and lists them in the output
#
# File:         check_dnssec-keys
# Author:       Sven Duscha ( sven dot duscha @ lrz dot de )
# Date:         2017-02-16
# Last change:  2017-02-16

# Default values for warning and critical
#WARNVAL=  # does not apply
CRITICALVAL=0
# Return values for WARN and CRIT
OK=0
WARN=1
CRIT=2
UNKNOWN=3
# Default return value RETVAL is UNKNOWN
RETVAL=$UNKNOWN

while [[ $# -gt 1 ]]
do
key="$1"

case $key in
    -z|--zone)
    ZONE="$2"
    shift # past argument
    ;;
    -h|--help)
    usage
    ;;
    *)
            # unknown option
    ;;
esac
shift # past argument or value
done

usage()
{
  echo "usage: $0 -z <ZONE>"
  echo "-z <ZONE> to check."
  echo "-h this usage help"
  exit 0
}

# Don't accept empty Zone
if [ "$ZONE" == "" ]
then
  echo "No zone given as argument -z"
  exit 1
fi

# Do the work using dig
KSK=`dig $ZONE DNSKEY +multi | grep KSK | awk '{print $10}' | sort -u -n -z | tr '\n' ' '`
ZSK=`dig $ZONE DNSKEY +multi | grep ZSK | awk '{print $10}' | sort -u -n -z | tr '\n' ' '`

if [ "$?" -eq 1 ]	# call to ldns-verify-zone failed
then
  echo "dig DNSKEY $ZONE failed.|$OUTPUT"
  RETVAL=$UNKNOWN
fi

# Merge string of KSKs and ZSKs
OUTPUT="KSK: $KSK ZSK: $ZSK"

if [[ "$KSK" == "" && "ZSK" == "" ]]	# Zone is NOT DNSSEC-secured, no keys
then
  echo "No DNSKEY found in $ZONE.|$OUTPUT"
  RETVAL=$CRIT
else
  echo "$OUTPUT"
  RETVAL=$OK
fi

exit $RETVAL