Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for DNSSEC Key-Signing Algorithm in Use

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudDNS-002

Ensure that Domain Name System Security Extensions (DNSSEC) feature is not using the deprecated RSASHA1 algorithm for the Key-Signing Key (KSK) associated with your DNS managed zone file.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

When enabling DNSSEC security feature for a managed DNS zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. To follow security best practices, do not use the RSASHA1 signature algorithm for DNSSEC signing unless it is required for compatibility reasons, as SHA1 is considered weak and vulnerable to collision attacks. The algorithm used for DNSSEC signing should be a strong one, such as ECDSAP256SHA256 algorithm, as this is secure and widely deployed, and therefore it is a good choice for both DNSSEC validation and signing.

Note: This rule assumes that the DNSSEC feature is enabled for all your Google Cloud DNS managed zones, otherwise see the steps outlined in this conformity rule to enable DNSSEC.

Audit

To determine the type of DNSSEC Key-Signing Key algorithm configured for your Domain Name System (DNS) managed zones, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud DNS dashboard at https://console.cloud.google.com/net-services/dns.

04 Select the Zones tab to access the list of DNS managed zones created for the selected project.

05 On the Zones panel, click inside the Filter by zone name, DNS name or description box, select Type and public, then press Enter. This will return only the public DNS managed zones available for the GCP project.

06 Click on the name of the public DNS zone that you want to examine to access the zone file configuration page.

07 On the selected DNS zone file page, click on the Equivalent REST link available at the bottom of the page to view the REST request body, which includes the JSON representation of the selected DNS zone.

08 Inside the Equivalent REST response dialog box, check the DNSSEC Key-Signing Key (KSK) algorithm set for the selected DNS zone (i.e. dnssecConfig.defaultKeySpecs.algorithm value for the object with the "keyType" set to "KEY_SIGNING"). If the "algorithm" property value is set to "RSASHA1", the DNSSEC Key-Signing Key (KSK) algorithm configured for the selected DNS managed zone is not secure and should not be used unless it is required for compatibility reasons.

09 Repeat steps no. 6 – 8 for every public DNS zone deployed within the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
PROJECT_ID
cc-web-project-123456
cc-backend-app-112233

03 Run dns managed-zones list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom filtering to describe the name and the visibility of each DNS managed zone created for the selected project:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud dns managed-zones list
  --project cc-web-project-123456
  --format="table(name,visibility)"

04 The command output should return the requested Google Cloud DNS zone metadata:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
NAME                        VISIBILITY
cloudconformity-dns-zone    public
cloudrealisation-dns-zone   public

05 Run dns managed-zones describe command (Windows/macOS/Linux) using the name of the public DNS managed zone that you want to examine as identifier parameter and custom query filters to describe the DNSSEC feature configuration available for the selected DNS zone:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud dns managed-zones describe cloudconformity-dns-zone
  --format="json(dnssecConfig)"

06 The command output should return the requested configuration information in JSON format:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
  "dnssecConfig": {
    "defaultKeySpecs": [
      {
        "algorithm": "rsasha1",
        "keyLength": 1024,
        "keyType": "keySigning",
        "kind": "dns#dnsKeySpec"
      },
      {
        "algorithm": "rsasha256",
        "keyLength": 1024,
        "keyType": "zoneSigning",
        "kind": "dns#dnsKeySpec"
      }
    ],
    "kind": "dns#managedZoneDnsSecConfig",
    "nonExistence": "nsec3",
    "state": "on"
  }
}

Check the DNSSEC configuration object with the "keyType" property value set to "keySigning". If the dns managed-zones describe command output returns "rsasha1" as the value of the dnssecConfig.defaultKeySpecs.algorithm attribute, as shown in the example above, the DNSSEC Key-Signing Key (KSK) algorithm configured for the selected DNS managed zone is not secure and should not be used unless you need it for compatibility reasons.

07 Repeat step no. 5 and 6 for every public DNS zone created within the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To reconfigure the Key-Signing Key (KSK) algorithm used by the DNSSEC security feature, perform the following operations:

Note: Changing the DNSSEC Key-Signing Key (KSK) algorithm using the Google Cloud Console is not currently supported.

Using GCP CLI

01 If DNSSEC feature is already enabled for the DNS zone that you want to reconfigure, to make configuration changes, first disable the feature, make the required changes, and then re-enable DNSSEC with the desired configuration. Run dns managed-zones update command (Windows/macOS/Linux) using the name of the public DNS zone that you want to reconfigure as identifier parameter (see Audit section part II to identify the right zone), to disable the DNSSEC security feature for the selected DNS zone:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud dns managed-zones update cloudconformity-dns-zone
  --dnssec-state off

02 The command output should return the update process status for the selected DNS zone:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Updating managed zone [cloudconformity-dns-zone]...done.

03 The supported DNSSEC algorithm options and key lengths are available on this page. These are also listed in the following table:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Algorithm name      KSK lengths      ZSK lengths
---------------     -----------      -----------

RSASHA1             1024, 2048       1024, 2048
RSASHA256           1024, 2048       1024, 2048
RSASHA512           1024, 2048       1024, 2048
ECDSAP256SHA256     256              256
ECDSAP384SHA384     384              384

04 Run dns managed-zones update cloudconformity-dns-zone command (Windows/macOS/Linux) using the name of the public DNS zone that you want to reconfigure as identifier parameter, to change the Key-Signing Key (KSK) algorithm by updating the DNSSEC feature configuration just before enabling it for the selected DNS zone. The following command request example, sets the Key-Signing Key algorithm to "RSASHA256" and the key length to 2048. For more KSK algorithm and key lengths options see the table listed at step no. 3:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud dns managed-zones update cloudconformity-dns-zone
  --dnssec-state on
  --ksk-algorithm rsasha256
  --ksk-key-length 2048
  --zsk-algorithm rsasha256
  --zsk-key-length 1024
  --denial-of-existence nsec3

05 The command output should return the update process status for the selected DNS zone:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Updating managed zone [cloudconformity-dns-zone]...done.

06 Repeat step no. 1 – 5 to change the DNSSEC KSK algorithm for other public DNS zones available within the selected Google Cloud Platform (GCP) project.

07 Repeat steps no. 1 – 6 for each GCP project deployed in your Google Cloud account.

References

Publication date May 5, 2020

Related CloudDNS rules