#!/bin/bash
#
# Script that checks a domain for the ad flag
# i.e. if it is DNSSEC-secured
#
# Script:				check_dnssec-ad
# Author:				Sven Duscha ( duscha at lrz dot de )
# Date:					2017-03-27
# Last change:  2017-03-28

# Define return values
OK=0
WARN=1
CRIT=2
UNKNOWN=3
NS=184.105.193.73
# Default return value is UNKNOWN
RETVAL=$UNKNOWN

# Usage info
usage()
{
	echo "usage: $0 -z <ZONE>"
	echo "-z <ZONE> to check."
	echo "-n <IP> resolver (default 184.105.193.73)"
   echo "-h this usage help"
	exit 0
}

# Parse command line arguments
while [[ $# -gt 1 ]]
do
key="$1"

case $key in
	-z|--zone)
	ZONE="$2"
	shift # past argument
	;;
	-n|--nameserver)
	NS="$2"
	shift	# past argument
	;;
	-h|--help)
	usage
	;;
	*)		# unknown option
	echo "unknown option $1"
	;;
esac
shift # past argument or value
done

# Don't accept an empty Zone
if [ "$ZONE" == "" ]
then
	echo "No zone given as argument -z."
	exit 1
fi

# Use dig with OARC NS on damin and look for ad flag
RET=`dig @$NS $ZONE +dnssec | grep ad`
if [ "$?" -eq 1 ]	# no ad flag found
then
	echo "Zone $ZONE INSECURE.|$RET"
	RETVAL=$CRITICAL
else
	echo "$ZONE DNSSEC secured.|$RET"
	RETVAL=$OK
fi

exit $RETVAL