This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: ccc3100c-0fdd-4a5e-9908-c10107291860
Cloud Provider: gcp
Framework: Terraform
Severity: Medium
Category: Encryption
Learn More
Description
DNSSEC should not use the RSASHA1 algorithm, which is considered weak and vulnerable to cryptographic attacks. If a dnssec_config block contains a default_key_specs attribute with algorithm = "rsasha1", attackers may be able to exploit known weaknesses in the algorithm to forge DNS records, potentially redirecting users to malicious sites or causing other security issues. Instead, use a stronger algorithm such as rsasha256:
dnssec_config {
default_key_specs {
algorithm = "rsasha256"
}
}
Compliant Code Examples
resource "google_dns_managed_zone" "negative1" {
name = "example-zone"
dns_name = "example-${random_id.rnd.hex}.com."
description = "Example DNS zone"
labels = {
foo = "bar"
}
dnssec_config {
default_key_specs{
algorithm = "rsasha256"
}
}
}
Non-Compliant Code Examples
resource "google_dns_managed_zone" "positive1" {
name = "example-zone"
dns_name = "example-${random_id.rnd.hex}.com."
description = "Example DNS zone"
labels = {
foo = "bar"
}
dnssec_config {
default_key_specs{
algorithm = "rsasha1"
}
}
}
