Terraform errors deploying google_dns_managed_zone with rsasha1

Question

First things first I understand RSA SHA1 is not recommended but is required for this particular use case. Second, I am able to deploy the following without issue:

resource "google_dns_managed_zone" "example-zone" {
  name        = "example-zone-02"
  dns_name    = "example-0123.com."
  description = "DNS Zone with DNSSEC"
  dnssec_config {
    default_key_specs {
      algorithm = "rsasha256"
      key_length = 2048
      key_type = "zoneSigning"
      kind = "dnsKeySpec"
    }
    default_key_specs {
      algorithm = "rsasha256"
      key_length = 2048
      key_type = "keySigning"
      kind = "dnsKeySpec"
    }
    kind = "managedZoneDnsSecConfig"
    non_existence = "nsec"
    state = "on"
  }
}

However, as soon as I switch the algorithm to rsasha1 I get the following:

googleapi: Error 400: Invalid value for 'entity.managedZone.dnssecConfig.defaultKeySpecs[0]': 'ZONE_SIGNING / RSASHA1 / 2048'
│ More details:
│ Reason: invalid, Message: Invalid value for 'entity.managedZone.dnssecConfig.defaultKeySpecs[0]': 'ZONE_SIGNING / RSASHA1 / 2048'
│ Reason: invalid, Message: Invalid value for 'entity.managedZone.dnssecConfig.defaultKeySpecs[1]': 'KEY_SIGNING / RSASHA1 / 2048'

According to the documentation here the key length(s) should be acceptable...I've tried 128, 256, 512, and 1024 as well...no luck. Any help is greatly appreciated.

score 2 · Answer 1 · answered Aug 28 '21 at 23:31

2

In order to use rsasha1 your Google Cloud project must be whitelisted. You must contact Google Cloud support to enable SHA1 support for DNSSEC. That also means you need a Google Cloud support contract.

answered Aug 28 '21 at 23:31

John Hanley

74,467
6
95
159

Terraform errors deploying google_dns_managed_zone with rsasha1

1 Answers1