DNSSEC Using RSASHA1

  • Query id: ccc3100c-0fdd-4a5e-9908-c10107291860
  • Query name: DNSSEC Using RSASHA1
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • CWE: 326
  • URL: Github

Description

DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_dns_managed_zone" "positive1" {
    name        = "example-zone"
    dns_name    = "example-${random_id.rnd.hex}.com."
    description = "Example DNS zone"
    labels = {
        foo = "bar"
    }

    dnssec_config {
        default_key_specs{
            algorithm = "rsasha1"
        }
    }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_dns_managed_zone" "negative1" {
    name        = "example-zone"
    dns_name    = "example-${random_id.rnd.hex}.com."
    description = "Example DNS zone"
    labels = {
        foo = "bar"
    }

    dnssec_config {
        default_key_specs{
            algorithm = "rsasha256"
        }
    }
}