Ensure that Domain Name System Security Extensions (DNSSEC) feature is not using the deprecated RSASHA1 algorithm for the Zone-Signing Key (ZSK) associated with your public DNS managed zone.
When enabling DNSSEC security feature for an existing managed DNS zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. To follow security best practices, avoid using the RSASHA1 signature algorithm for DNSSEC signing unless it is required for compatibility reasons, because SHA1 is considered weak and vulnerable to collision attacks. The algorithm used for DNSSEC signing should be a strong one, such as RSASHA256, as this algorithm is secure and widely deployed, and therefore it is a good candidate for both DNSSEC validation and signing.
Note: This rule assumes that the DNSSEC feature is enabled for all your Google Cloud DNS managed zones, otherwise follow the steps outlined in this conformity rule to enable DNSSEC.
To determine the type of DNSSEC Zone-Signing Key algorithm configured for your public DNS managed zones, perform the following actions:
Remediation / Resolution
To reconfigure the Zone-Signing Key (ZSK) algorithm used by the DNSSEC security feature, perform the following operations:Note: Changing the DNSSEC Zone-Signing Key (ZSK) algorithm using the Google Cloud Console is not currently supported.
- Google Cloud Platform (GCP) Documentation
- DNS Security Extensions (DNSSEC) overview
- Managing DNSSEC configuration
- Using advanced DNSSEC
- Viewing DNSSEC keys
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Check for DNSSEC Zone-Signing Algorithm in Use
Risk level: Medium