Skip to main content

More Info:

Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the RSASHA1 should not be used for key signing issue on GCP, you can follow the below steps:
  1. Open the Cloud Console and navigate to the Cloud DNS page.
  2. Select the name of the managed zone for which you want to update the DNSSEC settings.
  3. In the Security section, click on the Edit button.
  4. In the Algorithms section, uncheck the RSASHA1 checkbox.
  5. Click Save to update the DNSSEC settings.
By unchecking the RSASHA1 checkbox, you will ensure that the RSASHA1 algorithm is not used for key signing, which will remediate the issue.

To remediate the “RSASHA1 Should Not Be Used For Key Signing” misconfiguration in GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list all the DNS managed zones in your project: 
    gcloud dns managed-zones list
  3. Choose the managed zone for which you want to remediate the misconfiguration and note down the managed-zone-name.
  4. Run the following command to get the DNSSEC configuration for the chosen managed zone: 
    gcloud dns managed-zones describe <managed-zone-name>
  5. If the state field in the output shows on, then DNSSEC is enabled for the zone and you need to disable it.
  6. Run the following command to disable DNSSEC for the chosen managed zone: 
    gcloud dns managed-zones update <managed-zone-name> --dnssec-state off
  7. Verify that the state field in the output of the describe command shows off to confirm that DNSSEC has been disabled for the managed zone.
By following these steps, you can remediate the “RSASHA1 Should Not Be Used For Key Signing” misconfiguration in GCP using GCP CLI.
To remediate the RSASHA1 should not be used for key signing issue in GCP using Python, you can follow the below steps:
  1. Install the Google Cloud DNS Python library using the following command:
pip install google-cloud-dns
  1. Create a DNS client object using the following code:
from google.cloud import dns

client = dns.Client()
  1. Get the DNS zone using the following code:
zone_name = 'example.com.'
zone = client.zone(zone_name)
  1. Get the DNS records using the following code:
records = zone.list_resource_record_sets()
  1. Iterate over the records and check if any record uses the RSASHA1 algorithm for key signing. If found, update the record using the SHA256 algorithm using the following code:
for record in records:
    if record.signature_algorithm == 'RSASHA1':
        record.signature_algorithm = 'RSASHA256'
        zone.update_record(record)
  1. Once all the records have been updated, commit the changes using the following code:
zone.commit()
By following these steps, you can remediate the RSASHA1 should not be used for key signing issue in GCP using Python.