#!/bin/bash
#
# Check command for DNSSEC monitoring with ldns-verify-zone
#
#
# File:         check_dnssec-ldns
# Author:       Sven Duscha ( sven dot duscha @ lrz dot de )
# Date:         2017-02-15
# Last change:  2017-02-15

# Return values for WARN and CRIT
OK=0
WARN=1
CRIT=2
UNKNOWN=3
# Default return value RETVAL is UNKNOWN
RETVAL=$UNKNOWN

while [[ $# -gt 1 ]]
do
key="$1"

case $key in
    -z|--zone)
    ZONEFILE="$2"
    shift # past argument
    ;;
    -e|--expiration)
    EXPIRATION="$2"
    shift # past argument
    ;;
    -h|--help)
    usage
    ;;
    *)
            # unknown option
    ;;
esac
shift # past argument or value
done

usage()
{
  echo "usage: $0 -z <ZONE>"
  echo "-z <ZONEFILE> to check."
  echo "-e <EXPIRATION> date of signatures for warning."
  echo "-h this usage help"
  exit 0
}

# Do the work using ldns-verify-zone
OUTPUT=`ldns-verify-zone -e $EXPIRATION $ZONEFILE 2>&1`

if [ "$?" -eq 1 ]	# call to ldns-verify-zone failed
then
  echo "ldns-verify-zone failed.|$OUTPUT"
  RETVAL=$UNKNOWN
fi

if [ "$OUTPUT" == "Zone is verified and complete" ]	# Zone verified and OK
then
  echo "ldns-verify-zone OK.|$OUTPUT"
  RETVAL=$OK
elif [[ "$OUTPUT" == *"signature will expire"* ]]	# Signatures expire soon
then
  echo "$OUTPUT"
  RETVAL=$WARN
else
  echo "$OUTPUT"
  RETVAL=$CRIT
fi

exit $RETVAL