rspec/rules/S6402/terraform/rule.adoc

Domain Name Systems (DNS) are vulnerable by default to various types of attacks.

One of the biggest risks is DNS cache poisoning, which occurs when a DNS accepts spoofed DNS data, caches the malicious records, and potentially sends them later in response to legitimate DNS request lookups. This attack typically relies on the attacker's https://en.wikipedia.org/wiki/Man-in-the-middle_attack[MITM] ability on the network and can be used to redirect users from an intended website to a malicious website.

To prevent these vulnerabilities, Domain Name System Security Extensions (DNSSEC) ensure the integrity and authenticity of DNS data by digitally signing DNS zones.

The public key of a DNS zone used to validate signatures can be trusted as DNSSEC is based on the following chain of trust:

* The parent DNS zone adds a "fingerprint" of the public key of the child zone in a "DS record".
* The parent DNS zone signs it with its own private key.
* And this process continues until the root zone.


== Ask Yourself Whether

The parent DNS zone (likely managed by the DNS registrar of the domain name) supports DNSSEC and

* The DNS zone is public (contains data such as public reachable IP addresses).

There is a risk if you answered yes to this question.


== Recommended Secure Coding Practices

It's recommended to use DNSSEC when creating private and public DNS zones. 

Private DNS zones cannot be queried on the Internet and provide DNS name resolution for private networks. The risk of MITM attacks might be considered low on these networks and therefore implementing DNSSEC is still recommended but not with a high priority. 

Note: Choose a robust signing algorithm when setting up DNSSEC, such as `rsasha256`. The https://en.wikipedia.org/wiki/SHA-1[insecure] `rsasha1` algorithm should no longer be used.


== Sensitive Code Example
[source,terraform]
----
resource "google_dns_managed_zone" "example" { # Sensitive: dnssec_config is missing
  name     = "foobar"
  dns_name = "foo.bar."
}
----

== Compliant Solution
[source,terraform]
----
resource "google_dns_managed_zone" "example" {
  name     = "foobar"
  dns_name = "foo.bar."

  dnssec_config {
    default_key_specs {
      algorithm = "rsasha256"
    }
  }
}
----

== See

* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cloud.google.com/dns/docs/dnssec-config[GCP Documentation] - Manage DNSSEC configuration
* https://cwe.mitre.org/data/definitions/345[MITRE, CWE-345] - Insufficient Verification of Data Authenticity
* https://cwe.mitre.org/data/definitions/353[MITRE, CWE-353] - Missing Support for Integrity Check


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure creating a DNS zone without DNSSEC enabled is safe here.


endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Domain Name Systems (DNS) are vulnerable by default to various types of attacks.`
Create rule S6402[terraform] Creating DNS zones without DNSSEC enabled is security-sensitive (#691) * Create rule S6402 * init s6402 * fix * fixes after review * fixes after new review * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-02 14:47:12 +01:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`One of the biggest risks is DNS cache poisoning, which occurs when a DNS accepts spoofed DNS data, caches the malicious records, and potentially sends them later in response to legitimate DNS request lookups. This attack typically relies on the attacker's https://en.wikipedia.org/wiki/Man-in-the-middle_attack[MITM] ability on the network and can be used to redirect users from an intended website to a malicious website.`

			`To prevent these vulnerabilities, Domain Name System Security Extensions (DNSSEC) ensure the integrity and authenticity of DNS data by digitally signing DNS zones.`

			`The public key of a DNS zone used to validate signatures can be trusted as DNSSEC is based on the following chain of trust:`

			`* The parent DNS zone adds a "fingerprint" of the public key of the child zone in a "DS record".`
			`* The parent DNS zone signs it with its own private key.`
			`* And this process continues until the root zone.`


			`== Ask Yourself Whether`

			`The parent DNS zone (likely managed by the DNS registrar of the domain name) supports DNSSEC and`

			`* The DNS zone is public (contains data such as public reachable IP addresses).`

			`There is a risk if you answered yes to this question.`


			`== Recommended Secure Coding Practices`

			`It's recommended to use DNSSEC when creating private and public DNS zones.`

			`Private DNS zones cannot be queried on the Internet and provide DNS name resolution for private networks. The risk of MITM attacks might be considered low on these networks and therefore implementing DNSSEC is still recommended but not with a high priority.`

			Note: Choose a robust signing algorithm when setting up DNSSEC, such as `rsasha256`. The https://en.wikipedia.org/wiki/SHA-1[insecure] `rsasha1` algorithm should no longer be used.
Create rule S6402[terraform] Creating DNS zones without DNSSEC enabled is security-sensitive (#691) * Create rule S6402 * init s6402 * fix * fixes after review * fixes after new review * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-02 14:47:12 +01:00

			`== Sensitive Code Example`
			`[source,terraform]`
			`----`
			`resource "google_dns_managed_zone" "example" { # Sensitive: dnssec_config is missing`
			`name = "foobar"`
			`dns_name = "foo.bar."`
			`}`
			`----`

			`== Compliant Solution`
			`[source,terraform]`
			`----`
			`resource "google_dns_managed_zone" "example" {`
			`name = "foobar"`
			`dns_name = "foo.bar."`

			`dnssec_config {`
			`default_key_specs {`
			`algorithm = "rsasha256"`
			`}`
			`}`
			`}`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== See`

			`* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures`
			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
			`* https://cloud.google.com/dns/docs/dnssec-config[GCP Documentation] - Manage DNSSEC configuration`
			`* https://cwe.mitre.org/data/definitions/345[MITRE, CWE-345] - Insufficient Verification of Data Authenticity`
			`* https://cwe.mitre.org/data/definitions/353[MITRE, CWE-353] - Missing Support for Integrity Check`

Create rule S6402[terraform] Creating DNS zones without DNSSEC enabled is security-sensitive (#691) * Create rule S6402 * init s6402 * fix * fixes after review * fixes after new review * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-02 14:47:12 +01:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure creating a DNS zone without DNSSEC enabled is safe here.`

Create rule S6402[terraform] Creating DNS zones without DNSSEC enabled is security-sensitive (#691) * Create rule S6402 * init s6402 * fix * fixes after review * fixes after new review * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-02 14:47:12 +01:00
			`endif::env-github,rspecator-view[]`