More Info:

Ensure that DNSSEC is enabled for Cloud DNS.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the DNSSEC misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP console and navigate to the Cloud DNS page.
  2. Select the DNS zone for which you want to enable DNSSEC.
  3. Click on the “DNSSEC” tab.
  4. Click on the “Enable DNSSEC” button.
  5. Enter the KSK (Key Signing Key) and ZSK (Zone Signing Key) values. You can either generate these keys yourself or use the default values provided by GCP.
  6. Click on the “Enable” button to enable DNSSEC for the selected DNS zone.
  7. Once DNSSEC is enabled, you can verify it by checking the “DNSSEC Status” column on the Cloud DNS page. It should show “Enabled” for the selected DNS zone.
That’s it! You have successfully remediated the DNSSEC misconfiguration in GCP using the GCP console.

To remediate the DNSSEC misconfiguration in GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and navigate to the Cloud Shell.
  2. In the Cloud Shell, run the following command to enable DNSSEC for Cloud DNS: 
    gcloud dns managed-zones update [ZONE_NAME] --dnssec-state on
    Replace [ZONE_NAME] with the name of the managed zone for which you want to enable DNSSEC.
  3. Verify that DNSSEC has been enabled by running the following command: 
    gcloud dns managed-zones describe [ZONE_NAME] --format="json(dnssecConfig.state)"
    This command will return the DNSSEC state of the managed zone. If DNSSEC is enabled, the output will be: 
    {
  "dnssecConfig": {
    "state": "on"
  }
}
  4. Repeat steps 2 and 3 for all the managed zones that need to have DNSSEC enabled.
  5. Verify that DNSSEC is working by checking the DNSSEC status of your domain using a DNSSEC validation tool. DNSViz is a useful tool for this purpose. You can enter your domain name and DNSSEC will be validated for your domain.
By following these steps, you can remediate the DNSSEC misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration of DNSSEC not being enabled for Cloud DNS in GCP using Python, you can follow the below steps:
  1. Import the necessary libraries:
from google.cloud import dns
from google.oauth2 import service_account
  1. Set up authentication using a service account key:
credentials = service_account.Credentials.from_service_account_file('path/to/service_account_key.json')
client = dns.Client(project='your-project-id', credentials=credentials)
  1. Get the existing DNS policy for your Cloud DNS zone:
zone_name = 'your-zone-name'
zone = client.zone(zone_name)
dns_policy = zone.dnssec_config
  1. Check if DNSSEC is already enabled:
if dns_policy.state == 'on':
    print('DNSSEC is already enabled')
else:
    # Enable DNSSEC
    dns_policy.state = 'on'
    zone.update(dns_policy=dns_policy)
    print('DNSSEC has been enabled')
  1. Verify that DNSSEC is enabled:
if zone.dnssec_config.state == 'on':
    print('DNSSEC is enabled')
else:
    print('DNSSEC is not enabled')
By following these steps, you can remediate the misconfiguration of DNSSEC not being enabled for Cloud DNS in GCP using Python.