More Info:

Ensure that Cloud DNS Managed Zones use secure algorithm for encryption.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “GCP DNS Managed Zones Should Use Secure Algorithm” for GCP using GCP console, follow these steps:
  1. Open the GCP console and select the project where the DNS Managed Zone is located.
  2. In the left-hand navigation menu, click on “Network services” and select “Cloud DNS”.
  3. In the Cloud DNS dashboard, select the DNS Managed Zone that needs to be remediated.
  4. Click on the “Edit” button at the top of the page.
  5. In the “Zone details” section, select the “Advanced” tab.
  6. In the “DNSSEC” section, select the “Enable DNSSEC” checkbox.
  7. Select the “Algorithm” dropdown and choose a secure algorithm such as “RSASHA256”.
  8. Click on the “Save” button at the bottom of the page to save the changes.
  9. Verify that the DNS Managed Zone is now using a secure algorithm by checking the “DNSSEC” section of the “Zone details” page.
By following these steps, you have successfully remediated the misconfiguration “GCP DNS Managed Zones Should Use Secure Algorithm” for GCP using GCP console.

To remediate the misconfiguration “GCP DNS Managed Zones Should Use Secure Algorithm” for GCP using GCP CLI, follow the steps given below:
  1. Open the GCP Cloud Shell by clicking on the Activate Cloud Shell icon on the top right corner of the GCP Console.
  2. Run the following command to list all the DNS managed zones in your GCP project: 
gcloud dns managed-zones list
  1. Identify the DNS managed zone that is using an insecure algorithm.
  2. Run the following command to update the DNS managed zone to use a secure algorithm: 
gcloud dns managed-zones update [ZONE_NAME] --dnssec-algorithm=RSASHA256
Make sure to replace [ZONE_NAME] with the name of the DNS managed zone that you want to update.
  1. Verify that the DNS managed zone is updated to use a secure algorithm by running the following command:
gcloud dns managed-zones describe [ZONE_NAME] | grep -i algorithm
Make sure that the output shows the algorithm as “RSASHA256”.By following these steps, you can remediate the misconfiguration “GCP DNS Managed Zones Should Use Secure Algorithm” for GCP using GCP CLI.
To remediate the GCP DNS Managed Zones Should Use Secure Algorithm misconfiguration, follow these steps:
  1. Install the Google Cloud SDK by following the instructions at https://cloud.google.com/sdk/docs/install.
  2. Set up authentication for the Google Cloud SDK by running gcloud auth login and following the instructions.
  3. Install the google-cloud-dns Python library by running pip install google-cloud-dns.
  4. Write a Python script to update the DNS managed zones to use a secure algorithm. Here’s an example script: 
from google.cloud import dns

# Set the project ID and managed zone name
project_id = 'your-project-id'
zone_name = 'your-zone-name'

# Create a DNS client
client = dns.Client(project=project_id)

# Get the managed zone
zone = client.zone(zone_name)

# Update the DNSSEC algorithm
zone.dnssec_config.algorithm = 'rsasha256'

# Update the managed zone
zone.update()

print('Managed zone updated successfully.')
Replace your-project-id and your-zone-name with your actual project ID and managed zone name.
  1. Run the Python script by running python script.py.
This will update the DNS managed zone to use a secure algorithm (in this case, rsasha256). Repeat this process for all other DNS managed zones in your GCP project.

Additional Reading: