首先,我理解RSA SHA1是不推荐的,但对于这个特定的用例是必需的。其次,我可以毫无问题地部署以下内容:
resource "google_dns_managed_zone" "example-zone" {
name = "example-zone-02"
dns_name = "example-0123.com."
description = "DNS Zone with DNSSEC"
dnssec_config {
default_key_specs {
algorithm = "rsasha256"
key_length = 2048
key_type = "zoneSigning"
kind = "dnsKeySpec"
}
default_key_specs {
algorithm = "rsasha256"
key_length = 2048
key_type = "keySigning"
kind = "dnsKeySpec"
}
kind = "managedZoneDnsSecConfig"
non_existence = "nsec"
state = "on"
}
}
然而,当我将算法切换到rsasha1时,我得到以下结果:
googleapi: Error 400: Invalid value for 'entity.managedZone.dnssecConfig.defaultKeySpecs[0]': 'ZONE_SIGNING / RSASHA1 / 2048'
│ More details:
│ Reason: invalid, Message: Invalid value for 'entity.managedZone.dnssecConfig.defaultKeySpecs[0]': 'ZONE_SIGNING / RSASHA1 / 2048'
│ Reason: invalid, Message: Invalid value for 'entity.managedZone.dnssecConfig.defaultKeySpecs[1]': 'KEY_SIGNING / RSASHA1 / 2048'
根据这里的文档,密钥长度应该是可以接受的…我也试过128、256、512和1024……没有运气。如有任何帮助,不胜感激。
为了使用rsasha1你的Google Cloud项目必须被列入白名单。您必须联系Google Cloud支持以启用对DNSSEC的SHA1支持。这也意味着你需要一份谷歌云支持合同。