DNSSEC Using RSASHA1
ID |
gcp_dnssec_using_rsasha1 |
Severity |
high |
Vendor |
GCP |
Resource |
Network |
Tags |
reachable |
Description
DNSKEY is a record that contains a public key that can be used to verify digital signatures on DNS data and should be configured with a default algorithm for a Google Cloud DNS managed zone .
RSA-SHA1 is the default algorithm if dnssec is not set and should not use as default algorithm with a Google Cloud DNS managed zone because it is vulnerable to collision attacks, which means an attacker can create two different messages with the same SHA1 hash and trick the verifier into accepting a forged message. This could compromise the security and integrity of your DNS data.
To fix it, you must configure a dnssec_config and not use rsasha1 as the default_key_specs.algorithm property value.
Learn more about this topic at Google Cloud - Manage DNSSEC configuration.
Examples
---
- name: create a managed zone
google.cloud.gcp_dns_managed_zone:
name: testzone
dns_name: testzone.com.
description: test zone
dnssec_config:
state: on
non_existence: nsec3
algorithm: rsasha1
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: presentMitigation / Fix
---
- name: create a managed zone
google.cloud.gcp_dns_managed_zone:
name: testzone
dns_name: testzone.com.
description: test zone
dnssec_config:
state: on
non_existence: nsec3
algorithm: rsasha256
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present