DNS managed zone DNSSEC zone-signing keys should not use RSASHA1 Affecting Cloud DNS service in Google

Snyk CCSS

Network / Security

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Google CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00404
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

DNS managed zone DNSSEC zone-signing keys should not use RSASHA1. Domain Name System Security Extensions (DNSSEC) algorithm numbers may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The zone-signing key algorithm should be strong, and RSASHA1 is no longer considered secure. Use it only for compatibility reasons.

How to fix?

Do not Set default_key_specs.algorithm = "rsasha1". DNS managed zone DNSSEC zone-signing keys should not use RSASHA1.

Example Configuration

resource "google_dns_managed_zone" "allowed1" {
  name     = "test404-a"
  dns_name = "dns.google."
  project  = "test-project"

  dnssec_config {
    state = "on"

    default_key_specs {
      algorithm  = "rsasha256"
      key_length = 2048
      key_type   = "keySigning"
    }

    default_key_specs {
      algorithm  = "rsasha256"
      key_length = 1024
      key_type   = "zoneSigning"
    }
  }
}

Terraform

google_dns_managed_zone

DNS managed zone DNSSEC zone-signing keys should not use RSASHA1 Affecting Cloud DNS service in Google

Severity

Description

How to fix?

Example Configuration

Terraform