Profile Applicability:

Level 1

Description:

The RSASHA1 algorithm has been deprecated and removed from general use by Google. If still in use, it requires explicit whitelisting by Google and a support contract. Zone-signing algorithms should be strong and follow recommended security practices to ensure the integrity of DNSSEC-protected zones.

Rationale:

Using RSASHA1 for zone-signing poses significant security risks as it is considered cryptographically weak. Stronger algorithms like RSASHA256, RSASHA512, or ECDSA should be used for zone-signing to prevent potential attacks like DNS spoofing or cache poisoning. To update an existing DNSSEC-enabled managed zone with a stronger algorithm, DNSSEC must first be disabled and then reconfigured.

Default Value:

By default, RSASHA1 is not used unless explicitly configured.

Audit Steps:

Using Google Cloud CLI:

Describe the DNS zone to review the algorithm used for zone-signing:

gcloud dns managed-zones describe ZONE_NAME \
  --format="json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)"

  1. Confirm that the property algorithm for keyType: zoneSigning is not set to RSASHA1.

Remediation Steps:

Using Google Cloud CLI:

If DNSSEC is already enabled, turn it off:

gcloud dns managed-zones update ZONE_NAME --dnssec-state off

Re-enable DNSSEC with a stronger zone-signing algorithm:

gcloud dns managed-zones update ZONE_NAME \
  --dnssec-state on \
  --ksk-algorithm KSK_ALGORITHM \
  --ksk-key-length KSK_KEY_LENGTH \
  --zsk-algorithm ZSK_ALGORITHM \
  --zsk-key-length ZSK_KEY_LENGTH \
  --denial-of-existence DENIAL_OF_EXISTENCE

  1. Replace placeholders with appropriate values:

    • KSK_ALGORITHM: RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384

    • KSK_KEY_LENGTH: 1024, 2048 (for RSA-based algorithms), or 256, 384 (for ECDSA-based algorithms)

    • ZSK_ALGORITHM: Same options as KSK_ALGORITHM

    • ZSK_KEY_LENGTH: Same options as KSK_KEY_LENGTH

    • DENIAL_OF_EXISTENCE: nsec or nsec3

References:

  1. Google Cloud: DNSSEC Advanced Options

Additional Information:

  1. RSASHA1 may still be required for legacy systems or compatibility.

  2. The remediation commands require gcloud CLI version 221.0.0 or later.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.2 Secure Configuration for Network Devices

Maintain secure configuration standards for network devices and review them annually or after major changes.

11.1 Standard Security Configurations

Ensure that all authorized network devices follow secure and documented configurations.