Google CloudOverview
NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.
Rationale
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-ofexistence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.
Remediation guidance
Using Google Cloud CLI
- If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:
gcloud dns managed-zones update <zoneName> --dnssec-state off
- To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update <zoneName> --dnssec-state on --ksk-algorithm --ksk-key-length --zsk-algorithm --zsk-key-length --denial-of-existence <denialOfExistence>
References
- https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html
- https://cloud.google.com/dns/dnssec-config#enabling
- https://cloud.google.com/dns/dnssec
Additional Information
- RSASHA1 key-signing support may be required for compatibility reasons.
- Remediation CLI works well with gcloud-cli version 221.0.0 and later.
Google Cloud Console (Asset-Level)
- Open the affected project/resource from the finding details in Google Cloud Console.
- Navigate to the resource security/configuration settings.
- Apply the control-specific secure configuration.
- Save and re-run the check.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"keySigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}
