Skip to main content

More Info:

Ensure that Cloud DNS Managed Zones use key signing key.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “GCP DNS Managed Zones Should Use Key Signing Key” for GCP using GCP console, please follow the below steps:
  1. Login to your GCP console.
  2. Navigate to the Cloud DNS page by clicking on the Navigation menu > Network services > Cloud DNS.
  3. Select the DNS zone that you want to remediate.
  4. Click on the “DNSSEC” tab.
  5. Check if the DNSSEC is enabled or not. If not, click on the “Enable DNSSEC” button.
  6. Once the DNSSEC is enabled, you will see the Key Signing Key (KSK) and Zone Signing Key (ZSK) options.
  7. Click on the “Add KSK” button to add a new Key Signing Key.
  8. Enter the required details like algorithm type, key size, and description.
  9. Click on the “Create” button to create a new KSK.
  10. Once the KSK is created, you will see it in the list of KSKs.
  11. Now, select the KSK that you have just created and click on the “Activate” button to activate it.
  12. Once the KSK is activated, it will be used for signing the DNS records in the managed zone.
This completes the remediation of the misconfiguration “GCP DNS Managed Zones Should Use Key Signing Key” for GCP using GCP console.

To remediate the GCP DNS Managed Zones Should Use Key Signing Key misconfiguration using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and select the project where you want to remediate the misconfiguration.
  2. Open the Cloud Shell by clicking on the icon in the top right corner of the console.
  3. Run the following command to list all the managed zones in the project: 
    gcloud dns managed-zones list
  4. Identify the managed zone that needs to be remediated and note down its name.
  5. Run the following command to update the managed zone to use a key signing key: 
    gcloud dns managed-zones update [MANAGED_ZONE_NAME] --dnssec-state on --ksk-key-signing-algorithm [ALGORITHM]
    Replace [MANAGED_ZONE_NAME] with the name of the managed zone that you identified in step 4, and [ALGORITHM] with the key signing algorithm that you want to use (e.g. “rsasha256”).
  6. Verify that the managed zone has been updated by running the following command: 
    gcloud dns managed-zones describe [MANAGED_ZONE_NAME] --format="table(dnssecConfig.state, dnssecConfig.defaultKeySpecs[0].keyType, dnssecConfig.defaultKeySpecs[0].algorithm)"
    This command should display the updated DNSSEC state, key type and algorithm for the managed zone.
By following these steps, you should be able to remediate the GCP DNS Managed Zones Should Use Key Signing Key misconfiguration using GCP CLI.
To remediate the misconfiguration “GCP DNS Managed Zones Should Use Key Signing Key”, we need to perform the following steps:Step 1: Create a new Key Signing Key (KSK) in Cloud DNS
from google.cloud import dns

client = dns.Client()

zone_name = "example.com."
zone = client.zone(zone_name)

ksk = zone.create_dnssec_key(
    key_type=dns.DnssecKeyAlgorithm.RSASHA256,
    key_length=2048,
    key_signing=True
)

print("Created KSK with ID: {}".format(ksk.id))
Step 2: Update the DNSSEC configuration of the Managed Zone to use the new KSK
from google.cloud import dns

client = dns.Client()

zone_name = "example.com."
zone = client.zone(zone_name)

dnssec_config = zone.dnssec_config
dnssec_config.state = dns.DnssecState.ON
dnssec_config.default_key_signing_key = ksk.id

zone.update(dnssec_config=dnssec_config)
Step 3: Wait for the DNSSEC configuration to propagateDNSSEC changes can take up to 24 hours to propagate, so we need to wait for the changes to take effect.
import time

time.sleep(3600) # Wait for 1 hour
That’s it! The DNS Managed Zone in GCP should now be using a Key Signing Key.

Additional Reading: