Profile Applicability:

Level 1

Description:

It is recommended to avoid using the RSASHA1 algorithm for the key-signing key in Cloud DNS DNSSEC, as this algorithm is deprecated due to its weaker security strength. If RSASHA1 is in use, it requires explicit whitelisting by Google, along with an active Google Cloud support contract.

Rationale:

The RSASHA1 algorithm is no longer considered secure for DNSSEC key-signing due to advances in cryptographic analysis and computational power. Instead, stronger algorithms such as RSASHA256, RSASHA512, or ECDSA should be used to ensure secure domain name resolution and to protect against attacks such as DNS spoofing and cache poisoning.

When enabling DNSSEC or creating a DNS zone with DNSSEC, users can choose stronger algorithms for key-signing and zone-signing. If RSASHA1 is already in use, DNSSEC settings must be updated to use a stronger algorithm.

Default Value:

By default, RSASHA1 is not used unless explicitly configured.

Audit Steps:

Using Google Cloud CLI:

Describe the DNS zone:

gcloud dns managed-zones describe ZONE_NAME --format="json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)"

  1. Verify that the algorithm property for keyType: keySigning is not set to RSASHA1.

Remediation Steps:

Using Google Cloud CLI:

If DNSSEC is already enabled for the zone, turn it off:

gcloud dns managed-zones update ZONE_NAME --dnssec-state off

Update the DNS zone with a stronger key-signing algorithm:

gcloud dns managed-zones update ZONE_NAME \
  --dnssec-state on \
  --ksk-algorithm KSK_ALGORITHM \
  --ksk-key-length KSK_KEY_LENGTH \
  --zsk-algorithm ZSK_ALGORITHM \
  --zsk-key-length ZSK_KEY_LENGTH \
  --denial-of-existence DENIAL_OF_EXISTENCE

  1. Replace placeholders with appropriate values:

    • KSK_ALGORITHM: RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384

    • KSK_KEY_LENGTH: 1024, 2048 (for RSA-based algorithms), or 256, 384 (for ECDSA-based algorithms)

    • ZSK_ALGORITHM: Same options as KSK_ALGORITHM

    • ZSK_KEY_LENGTH: Same options as KSK_KEY_LENGTH

    • DENIAL_OF_EXISTENCE: nsec or nsec3

References:

  1. Google Cloud: DNSSEC Advanced Options

Additional Information:

  1. The RSASHA1 algorithm may only be required for legacy or compatibility reasons.

  2. The remediation commands require gcloud CLI version 221.0.0 or later.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.2 Secure Configuration for Network Devices

Maintain secure configuration standards for network devices and review them annually or after major changes.

11.1 Standard Security Configurations

Ensure that all authorized network devices follow secure and documented configurations.