MEDIUM
Source
Trivy/CSPM
CSPM ID
dns-security-signing-algorithm
ID
AVD-GCP-0012

Zone signing should not use RSA SHA1

RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512

Impact

Less secure encryption algorithm than others available

Follow the appropriate remediation steps below to resolve the issue.

Use RSA SHA512

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
resource "google_dns_managed_zone" "foo" {
  name     = "foobar"
  dns_name = "foo.bar."
  
  dnssec_config {
    state         = "on"
    non_existence = "nsec3"
  }
}

data "google_dns_keys" "foo_dns_keys" {
  managed_zone = google_dns_managed_zone.foo.id
  zone_signing_keys {
    algorithm = "rsasha512"
  }
}

output "foo_dns_ds_record" {
  description = "DS record of the foo subdomain."
  value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
}