lacework-global-260
3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key (KSK) in Cloud Domain Name System (DNS) DNSSEC (Automated)
This rule has been changed to automated, see Automated Policies for CIS GCP 1.3.0 for details.
Profile Applicability
• Level 1
Description
Google Cloud removed the SHA-1 algorithm from general use. If used, Google must whitelist it on a project basis and therefore also requires a Google Cloud support contract.
It is possible to use DNSSEC algorithm numbers in this registry in certificate resource records. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.
Rationale
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs. Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.
Audit
Currently there is no support to audit this setting through console.
From Command Line:
Ensure the property algorithm for keyType keySigning is not using RSASHA1.
gcloud dns managed-zones describe ZONENAME --format="json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)"
Remediation
- If it is necessary to change the settings for a managed zone with DNSSEC enabled, you must turn off and reenable DNSSEC with different settings. To turn off DNSSEC, run the following command:
gcloud dns managed-zones update zone_name --dnssec-state off
- To update Key-Signing Key (KSK) and Zone-Signing Key (ZSK) key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update zone_name --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE
Supported algorithm options and key lengths are as follows:
Algorithm KSK Length ZSK Length
--------- ---------- ----------
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
References
https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options
Additional Information
- You may require RSASHA1 key-signing support for compatibility reasons.
- Remediation CLI works well with gcloud-cli version 221.0.0 and later.