Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 6cf4c3a7-ceb0-4475-8892-3745b84be24a
Cloud Provider: GCP
Platform: Ansible
Severity: Medium
Category: Encryption
Learn More
Description
Using the RSASHA1 algorithm for DNSSEC weakens DNS integrity because SHA-1 is deprecated and vulnerable to collision attacks, increasing the risk of forged or tampered DNS responses.
For Ansible-managed Google Cloud DNS zones (modules google.cloud.gcp_dns_managed_zone and gcp_dns_managed_zone), the dnssec_config.defaultKeySpecs.algorithm property must not be set to rsasha1 (checked case-insensitively). Resources with dnssec_config.defaultKeySpecs.algorithm set to rsasha1 are flagged. Update the property to a stronger algorithm such as RSASHA256, RSASHA512, or an ECDSA option like ECDSAP256SHA256.
Secure configuration example:
- name: Create managed zone with secure DNSSEC algorithm
google.cloud.gcp_dns_managed_zone:
name: my-zone
dnssec_config:
defaultKeySpecs:
- algorithm: RSASHA256
Compliant Code Examples
- name: create a managed zone
google.cloud.gcp_dns_managed_zone:
name: test_object
dns_name: test.somewild2.example.com.
description: test zone
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
dnssec_config:
defaultKeySpecs:
algorithm: RSASHA256
state: off
Non-Compliant Code Examples
---
- name: create a managed zone
google.cloud.gcp_dns_managed_zone:
name: test_object
dns_name: test.somewild2.example.com.
description: test zone
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
dnssec_config:
defaultKeySpecs:
algorithm: RSASHA1
state: off
