Triage and Remediation
Remediation
Using Console
Using Console
To remediate the RSASHA1 should not be used for key signing issue on GCP, you can follow the below steps:
- Open the Cloud Console and navigate to the Cloud DNS page.
- Select the name of the managed zone for which you want to update the DNSSEC settings.
- In the Security section, click on the Edit button.
- In the Algorithms section, uncheck the RSASHA1 checkbox.
- Click Save to update the DNSSEC settings.
Using CLI
Using CLI
To remediate the “RSASHA1 Should Not Be Used For Key Signing” misconfiguration in GCP using GCP CLI, you can follow the below steps:
- Open the Cloud Shell in the GCP Console.
-
Run the following command to list all the DNS managed zones in your project:
-
Choose the managed zone for which you want to remediate the misconfiguration and note down the
managed-zone-name. -
Run the following command to get the DNSSEC configuration for the chosen managed zone:
-
If the
statefield in the output showson, then DNSSEC is enabled for the zone and you need to disable it. -
Run the following command to disable DNSSEC for the chosen managed zone:
-
Verify that the
statefield in the output of thedescribecommand showsoffto confirm that DNSSEC has been disabled for the managed zone.
Using Python
Using Python
To remediate the RSASHA1 should not be used for key signing issue in GCP using Python, you can follow the below steps:By following these steps, you can remediate the RSASHA1 should not be used for key signing issue in GCP using Python.
- Install the Google Cloud DNS Python library using the following command:
- Create a DNS client object using the following code:
- Get the DNS zone using the following code:
- Get the DNS records using the following code:
- Iterate over the records and check if any record uses the RSASHA1 algorithm for key signing. If found, update the record using the SHA256 algorithm using the following code:
- Once all the records have been updated, commit the changes using the following code: