Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong. Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs. Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.The algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings. NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.

Risk Level: High
Cloud Entity: GCP DNS Managed Zone
CloudGuard Rule ID: D9.GCP.NET.27
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

DnsManagedZone should not have dnssecConfig.defaultKeySpecs contain [ keyType='keySigning' and algorithm='rsasha1' ]

REMEDIATION

From Portal
Changing the DNSSEC Key-Signing Key algorithm using the Google Cloud Console is not currently supported.

From Command Line

  1. Ensure the property algorithm for keyType keySigning is not using RSASHA1.
gcloud dns managed-zones describe ZONENAME --format="json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)"
  1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
  1. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Supported algorithm options and key lengths are described and updated on this page :https://cloud.google.com/dns/docs/dnssec-advanced#advanced-signing-options

From TF
For the resource google_dns_managed_zone, When key_type= "keySigning" make sure google_dns_managed_zone.dnssec_config.default_key_specs.algorithm is NOT set to "rsasha1"in your template.
See below example;

resource "google_dns_managed_zone" "bad-example-zone" {
	name        = "bad-example-zone"
	dns_name    = "example.com."
	description = "Bad Example DNS zone"
	...
	dnssec_config  {
		default_key_specs {
			...
			algorithm = "rsasha1"
			key_type = "keySigning"
			...
		}
	}
	...
}

References

  1. https://workbench.cisecurity.org/sections/507171/recommendations/827576
  2. https://cloud.google.com/dns/docs/dnssec-advanced
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#key_type

GCP DNS Managed Zone

A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5