Guides
  1. google policies
  2. GCP DNS Managed Zone

Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC

Risk Level: High
Cloud Entity: GCP DNS Managed Zone
CloudGuard Rule ID: D9.GCP.NET.27
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

DnsManagedZone should not have dnssecConfig.defaultKeySpecs contain [ keyType='keySigning' and algorithm='rsasha1' ]

REMEDIATION

From Portal
Changing the DNSSEC Key-Signing Key algorithm using the Google Cloud Console is not currently supported.

From Command Line

  1. Ensure the property algorithm for keyType keySigning is not using RSASHA1.
gcloud dns managed-zones describe ZONENAME --format="json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)"
  1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
  1. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Supported algorithm options and key lengths are described and updated on this page: https://cloud.google.com/dns/docs/dnssec-advanced#advanced-signing-options

From TF
For the resource google_dns_managed_zone, When key_type= "keySigning" make sure google_dns_managed_zone.dnssec_config.default_key_specs.algorithm is NOT set to "rsasha1" in your template.
See below example;

resource "google_dns_managed_zone" "bad-example-zone" {
  name        = "bad-example-zone"
  dns_name    = "example.com."
  description = "Bad Example DNS zone"
  ...
  dnssec_config  {
    default_key_specs {
      ...
      algorithm = "rsasha1"
      key_type = "keySigning"
      ...
    }
  }
  ...
}

References

  1. https://workbench.cisecurity.org/sections/507171/recommendations/827576
  2. https://cloud.google.com/dns/docs/dnssec-advanced
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#key_type

GCP DNS Managed Zone

A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago