DNSSEC Using RSASHA1

• Query id: ccc3100c-0fdd-4a5e-9908-c10107291860
• Query name: DNSSEC Using RSASHA1
• Platform: Terraform
• Severity: High
• Category: Encryption
• URL: Github

Description

DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file

resource "google_dns_managed_zone" "positive1" {
    name        = "example-zone"
    dns_name    = "example-${random_id.rnd.hex}.com."
    description = "Example DNS zone"
    labels = {
        foo = "bar"
    }

    dnssec_config {
        default_key_specs{
            algorithm = "rsasha1"
        }
    }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "google_dns_managed_zone" "negative1" {
    name        = "example-zone"
    dns_name    = "example-${random_id.rnd.hex}.com."
    description = "Example DNS zone"
    labels = {
        foo = "bar"
    }

    dnssec_config {
        default_key_specs{
            algorithm = "rsasha256"
        }
    }
}