Zone signing should not use RSA SHA1
Default Severity: medium
Explanation
RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512
Possible Impact
Less secure encryption algorithm than others available
Suggested Resolution
Use RSA SHA512
Insecure Example
The following example will fail the google-dns-no-rsa-sha1 check.
resource "google_dns_managed_zone" "foo" {
name = "foobar"
dns_name = "foo.bar."
dnssec_config {
state = "on"
non_existence = "nsec3"
}
}
data "google_dns_keys" "foo_dns_keys" {
managed_zone = google_dns_managed_zone.foo.id
zone_signing_keys {
algorithm = "rsasha1"
}
}
output "foo_dns_ds_record" {
description = "DS record of the foo subdomain."
value = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
}
Secure Example
The following example will pass the google-dns-no-rsa-sha1 check.
resource "google_dns_managed_zone" "foo" {
name = "foobar"
dns_name = "foo.bar."
dnssec_config {
state = "on"
non_existence = "nsec3"
}
}
data "google_dns_keys" "foo_dns_keys" {
managed_zone = google_dns_managed_zone.foo.id
zone_signing_keys {
algorithm = "rsasha512"
}
}
output "foo_dns_ds_record" {
description = "DS record of the foo subdomain."
value = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
}