Cloud DNS without DNSSEC

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 80b15fb1-6207-40f4-a803-6915ae619a03

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

DNS zones must have DNSSEC enabled to protect DNS responses from tampering, spoofing, and cache poisoning and to ensure the authenticity and integrity of name resolution.

For Ansible-managed Google Cloud DNS zones using google.cloud.gcp_dns_managed_zone or gcp_dns_managed_zone, the dnssec_config.state property must be defined and set to "on". Resources missing dnssec_config, missing dnssec_config.state, or with dnssec_config.state not equal to "on" are flagged.

Secure configuration example:

- name: Create DNS managed zone with DNSSEC enabled
  google.cloud.gcp_dns_managed_zone:
    name: my-managed-zone
    dns_name: example.com.
    dnssec_config:
      state: "on"

Compliant Code Examples

- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    dnssec_config:
      kind: some_kind
      state: on

Non-Compliant Code Examples

---
- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a second managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    dnssec_config:
      kind: some_kind
- name: create a third managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    dnssec_config:
      kind: some_kind
      state: off