---
title: DNSSEC using RSASHA1
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > DNSSEC using RSASHA1
---

# DNSSEC using RSASHA1

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `6cf4c3a7-ceb0-4475-8892-3745b84be24a`

**Cloud Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/defaultKeySpecs/algorithm)

### Description{% #description %}

Using the RSASHA1 algorithm for DNSSEC weakens DNS integrity because SHA-1 is deprecated and vulnerable to collision attacks, increasing the risk of forged or tampered DNS responses.

For Ansible-managed Google Cloud DNS zones (modules `google.cloud.gcp_dns_managed_zone` and `gcp_dns_managed_zone`), the `dnssec_config.defaultKeySpecs.algorithm` property must not be set to `rsasha1` (checked case-insensitively). Resources with `dnssec_config.defaultKeySpecs.algorithm` set to `rsasha1` are flagged. Update the property to a stronger algorithm such as `RSASHA256`, `RSASHA512`, or an ECDSA option like `ECDSAP256SHA256`.

Secure configuration example:

```yaml
- name: Create managed zone with secure DNSSEC algorithm
  google.cloud.gcp_dns_managed_zone:
    name: my-zone
    dnssec_config:
      defaultKeySpecs:
        - algorithm: RSASHA256
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    dnssec_config:
      defaultKeySpecs:
        algorithm: RSASHA256
      state: off
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: test_object
    dns_name: test.somewild2.example.com.
    description: test zone
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    dnssec_config:
      defaultKeySpecs:
        algorithm: RSASHA1
      state: off
```