41 lines
1.2 KiB
Go
41 lines
1.2 KiB
Go
package checker
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
type dnskeyTTLMinRule struct{}
|
|
|
|
func (dnskeyTTLMinRule) Name() string { return "dnssec_dnskey_ttl_min" }
|
|
func (dnskeyTTLMinRule) Description() string {
|
|
return "Warns when the DNSKEY TTL is too short to be useful for caching."
|
|
}
|
|
|
|
func (dnskeyTTLMinRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
|
|
data, errState := loadDNSSEC(ctx, obs)
|
|
if errState != nil {
|
|
return errState
|
|
}
|
|
if !hasAnyDNSKEY(data) {
|
|
return skipped("zone not signed")
|
|
}
|
|
minTTL := optionUint(opts, "dnskeyTTLMin", defaultDNSKEYTTLMinSec)
|
|
|
|
for _, name := range sortedServers(data) {
|
|
v := data.Servers[name]
|
|
if v.DNSKEYTTL == 0 {
|
|
continue
|
|
}
|
|
if uint(v.DNSKEYTTL) < minTTL {
|
|
return []sdk.CheckState{withMeta(sdk.CheckState{
|
|
Status: sdk.StatusWarn,
|
|
Subject: name,
|
|
Message: fmt.Sprintf("DNSKEY TTL on %s = %ds (recommended ≥ %ds)", name, v.DNSKEYTTL, minTTL),
|
|
}, "Increase the DNSKEY TTL so resolvers cache the keys; short TTLs increase load and break key-rollover prepublish strategies.", "dnssec.dnskey_ttl_low")}
|
|
}
|
|
}
|
|
return okState(data.Domain, "DNSKEY TTL is at or above the recommended minimum")
|
|
}
|