RSASHA1 Should Not Be Used For Key Signing

More Info:

Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “RSASHA1 Should Not Be Used For Key Signing” misconfiguration in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list all the DNS managed zones in your project:
```
gcloud dns managed-zones list
```
Choose the managed zone for which you want to remediate the misconfiguration and note down the managed-zone-name.
Run the following command to get the DNSSEC configuration for the chosen managed zone:
```
gcloud dns managed-zones describe <managed-zone-name>
```
If the state field in the output shows on, then DNSSEC is enabled for the zone and you need to disable it.
Run the following command to disable DNSSEC for the chosen managed zone:
```
gcloud dns managed-zones update <managed-zone-name> --dnssec-state off
```
Verify that the state field in the output of the describe command shows off to confirm that DNSSEC has been disabled for the managed zone.

By following these steps, you can remediate the “RSASHA1 Should Not Be Used For Key Signing” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the RSASHA1 should not be used for key signing issue in GCP using Python, you can follow the below steps:

Install the Google Cloud DNS Python library using the following command:

pip install google-cloud-dns

Create a DNS client object using the following code:

from google.cloud import dns

client = dns.Client()

Get the DNS zone using the following code:

zone_name = 'example.com.'
zone = client.zone(zone_name)

Get the DNS records using the following code:

records = zone.list_resource_record_sets()

Iterate over the records and check if any record uses the RSASHA1 algorithm for key signing. If found, update the record using the SHA256 algorithm using the following code:

for record in records:
    if record.signature_algorithm == 'RSASHA1':
        record.signature_algorithm = 'RSASHA256'
        zone.update_record(record)

Once all the records have been updated, commit the changes using the following code:

zone.commit()

By following these steps, you can remediate the RSASHA1 should not be used for key signing issue in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

RSASHA1 Should Not Be Used For Key Signing

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation