GCP DNS Managed Zones Should Use Key Signing Key

More Info:

Ensure that Cloud DNS Managed Zones use key signing key.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the GCP DNS Managed Zones Should Use Key Signing Key misconfiguration using GCP CLI, follow these steps:

Open the Google Cloud Console and select the project where you want to remediate the misconfiguration.
Open the Cloud Shell by clicking on the icon in the top right corner of the console.
Run the following command to list all the managed zones in the project:
```
gcloud dns managed-zones list
```
Identify the managed zone that needs to be remediated and note down its name.
Run the following command to update the managed zone to use a key signing key:
```
gcloud dns managed-zones update [MANAGED_ZONE_NAME] --dnssec-state on --ksk-key-signing-algorithm [ALGORITHM]
```
Replace [MANAGED_ZONE_NAME] with the name of the managed zone that you identified in step 4, and [ALGORITHM] with the key signing algorithm that you want to use (e.g. “rsasha256”).
Verify that the managed zone has been updated by running the following command:
```
gcloud dns managed-zones describe [MANAGED_ZONE_NAME] --format="table(dnssecConfig.state, dnssecConfig.defaultKeySpecs[0].keyType, dnssecConfig.defaultKeySpecs[0].algorithm)"
```
This command should display the updated DNSSEC state, key type and algorithm for the managed zone.

By following these steps, you should be able to remediate the GCP DNS Managed Zones Should Use Key Signing Key misconfiguration using GCP CLI.

Using Python

To remediate the misconfiguration “GCP DNS Managed Zones Should Use Key Signing Key”, we need to perform the following steps:Step 1: Create a new Key Signing Key (KSK) in Cloud DNS

from google.cloud import dns

client = dns.Client()

zone_name = "example.com."
zone = client.zone(zone_name)

ksk = zone.create_dnssec_key(
    key_type=dns.DnssecKeyAlgorithm.RSASHA256,
    key_length=2048,
    key_signing=True
)

print("Created KSK with ID: {}".format(ksk.id))

Step 2: Update the DNSSEC configuration of the Managed Zone to use the new KSK

from google.cloud import dns

client = dns.Client()

zone_name = "example.com."
zone = client.zone(zone_name)

dnssec_config = zone.dnssec_config
dnssec_config.state = dns.DnssecState.ON
dnssec_config.default_key_signing_key = ksk.id

zone.update(dnssec_config=dnssec_config)

Step 3: Wait for the DNSSEC configuration to propagateDNSSEC changes can take up to 24 hours to propagate, so we need to wait for the changes to take effect.

import time

time.sleep(3600) # Wait for 1 hour

That’s it! The DNS Managed Zone in GCP should now be using a Key Signing Key.

Additional Reading:

https://cloud.google.com/dns/docs/dnskeys

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

GCP DNS Managed Zones Should Use Key Signing Key

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: