Zone signing should not use RSA SHA1
RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512
Impact
Less secure encryption algorithm than others available
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Use RSA SHA512
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
resource "google_dns_managed_zone" "foo" {
name = "foobar"
dns_name = "foo.bar."
dnssec_config {
state = "on"
non_existence = "nsec3"
}
}
data "google_dns_keys" "foo_dns_keys" {
managed_zone = google_dns_managed_zone.foo.id
zone_signing_keys {
algorithm = "rsasha512"
}
}
output "foo_dns_ds_record" {
description = "DS record of the foo subdomain."
value = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
}
|