RSASHA1 Should Not Be Used For Zone Signing

More Info:

Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “RSASHA1 Should Not Be Used For Zone Signing” misconfiguration in GCP using GCP CLI, you can follow the steps below:

Open the Cloud Shell in GCP Console.
Run the following command to list all the managed zones in your project:
```
gcloud dns managed-zones list
```
Choose the managed zone that you want to update and note down its name.
Run the following command to update the DNSSEC algorithm for the chosen managed zone:
```
gcloud dns managed-zones update [MANAGED_ZONE_NAME] --dnssec-algorithm=RSASHA256
```
Note: Replace [MANAGED_ZONE_NAME] with the name of the managed zone that you want to update.
Verify that the DNSSEC algorithm has been updated successfully by running the following command:
```
gcloud dns managed-zones describe [MANAGED_ZONE_NAME] --format="value(dnssecConfig.defaultKeySpecs[0].algorithm)"
```
Note: Replace [MANAGED_ZONE_NAME] with the name of the managed zone that you updated in Step 4. The output of this command should be “RSASHA256”, which indicates that the DNSSEC algorithm has been updated successfully.
Repeat Steps 4 and 5 for all the managed zones in your project.

By following these steps, you can remediate the “RSASHA1 Should Not Be Used For Zone Signing” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “RSASHA1 Should Not Be Used For Zone Signing” issue for GCP using Python, you can follow the below steps:

First, you need to authenticate to GCP using the Google Cloud SDK and set up a project.
Next, you need to install the Google Cloud DNS API client library for Python using the following command:
```
pip install google-cloud-dns
```
Once the library is installed, you can write a Python script to retrieve the DNS zone for which you want to remediate the issue. You can use the following code snippet:
```
from google.cloud import dns

# Authenticate to GCP
client = dns.Client()

# Retrieve the DNS zone
zone_name = 'example.com.'
zone = client.zone(zone_name)
```
Once you have retrieved the DNS zone, you can update the zone signing algorithm to use a more secure algorithm. You can use the following code snippet to update the zone signing algorithm to RSASHA256:
```
from google.cloud.dns import record

# Update the zone signing algorithm
zone.dnssec_config.default_key_spec = record.RSASHA256
zone.update()
```

Finally, you can verify that the zone signing algorithm has been updated by retrieving the DNS zone and checking the default key specification:

# Retrieve the DNS zone
zone = client.zone(zone_name)

# Check the default key specification
default_key_spec = zone.dnssec_config.default_key_spec
print(f'Default key specification: {default_key_spec}')

By following these steps, you can remediate the “RSASHA1 Should Not Be Used For Zone Signing” issue for GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

RSASHA1 Should Not Be Used For Zone Signing

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation