Cloud DNS Without DNSSEC

  • Query id: 80b15fb1-6207-40f4-a803-6915ae619a03
  • Query name: Cloud DNS Without DNSSEC
  • Platform: Ansible
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 350
  • URL: Github

Description

DNSSEC must be enabled for Cloud DNS
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a second managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    dnssec_config:
      kind: some_kind
- name: create a third managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    dnssec_config:
      kind: some_kind
      state: off

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    dnssec_config:
      kind: some_kind
      state: on