Zone signing should not use RSA SHA1
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | dns |
| Provider | |
| Vulnerability Type | misconfiguration |
Description#
The DNS zone configuration uses the RSA SHA1 algorithm for zone signing, which is considered weak and outdated compared to SHA2-based algorithms like RSA SHA256 or RSA SHA512. This weak cryptographic choice reduces the overall security of DNSSEC protections.
Impact#
Using the RSA SHA1 algorithm increases the risk of cryptographic attacks, potentially allowing attackers to forge DNS records or compromise DNS integrity. This can lead to domain spoofing, interception of traffic, or other attacks that undermine trust in DNS responses.
Resolution#
Use RSA SHA512