This product is not supported for your selected
Datadog site. (
).
Id: 80b15fb1-6207-40f4-a803-6915ae619a03
Cloud Provider: GCP
Platform: Ansible
Severity: Medium
Category: Insecure Configurations
Learn More
Description
DNS zones must have DNSSEC enabled to protect DNS responses from tampering, spoofing, and cache poisoning and to ensure the authenticity and integrity of name resolution.
For Ansible-managed Google Cloud DNS zones using google.cloud.gcp_dns_managed_zone or gcp_dns_managed_zone, the dnssec_config.state property must be defined and set to "on". Resources missing dnssec_config, missing dnssec_config.state, or with dnssec_config.state not equal to "on" are flagged.
Secure configuration example:
- name: Create DNS managed zone with DNSSEC enabled
google.cloud.gcp_dns_managed_zone:
name: my-managed-zone
dns_name: example.com.
dnssec_config:
state: "on"
Compliant Code Examples
- name: create a managed zone
google.cloud.gcp_dns_managed_zone:
name: test_object
dns_name: test.somewild2.example.com.
description: test zone
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
dnssec_config:
kind: some_kind
state: on
Non-Compliant Code Examples
---
- name: create a managed zone
google.cloud.gcp_dns_managed_zone:
name: test_object
dns_name: test.somewild2.example.com.
description: test zone
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
- name: create a second managed zone
google.cloud.gcp_dns_managed_zone:
name: test_object
dns_name: test.somewild2.example.com.
description: test zone
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
dnssec_config:
kind: some_kind
- name: create a third managed zone
google.cloud.gcp_dns_managed_zone:
name: test_object
dns_name: test.somewild2.example.com.
description: test zone
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
dnssec_config:
kind: some_kind
state: off
