Check for DNSSEC Zone-Signing Algorithm in Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that Domain Name System Security Extensions (DNSSEC) feature is not using the deprecated RSASHA1 algorithm for the Zone-Signing Key (ZSK) associated with your public DNS managed zone.

Security

When enabling DNSSEC security feature for an existing managed DNS zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. To follow security best practices, avoid using the RSASHA1 signature algorithm for DNSSEC signing unless it is required for compatibility reasons, because SHA1 is considered weak and vulnerable to collision attacks. The algorithm used for DNSSEC signing should be a strong one, such as RSASHA256, as this algorithm is secure and widely deployed, and therefore it is a good candidate for both DNSSEC validation and signing.

Note: This rule assumes that the DNSSEC feature is enabled for all your Google Cloud DNS managed zones, otherwise follow the steps outlined in this conformity rule to enable DNSSEC.


Audit

To determine the type of DNSSEC Zone-Signing Key algorithm configured for your public DNS managed zones, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud DNS dashboard at https://console.cloud.google.com/net-services/dns.

04 Select the Zones tab to access the list of DNS managed zones created for the selected project.

05 On the Zones panel, click inside the Filter by zone name, DNS name or description box, select Type and public, then press Enter. This will return only the public DNS managed zones available for the GCP project.

06 Click on the name of the public DNS zone that you want to examine to access the zone file configuration page.

07 On the selected DNS zone file page, click on the Equivalent REST link available at the bottom of the page to view the REST request body, which includes the JSON representation of the selected DNS zone.

08 Inside the Equivalent REST response dialog box, check the DNSSEC Zone-Signing Key (ZSK) algorithm set for the selected DNS zone (i.e. dnssecConfig.defaultKeySpecs.algorithm value for the object with the "keyType" set to "ZONE_SIGNING"). If the "algorithm" property value is set to "RSASHA1", the DNSSEC Zone-Signing Key (ZSK) algorithm configured for the selected DNS managed zone is considered deprecated and non-secure, and should not be used unless it is required for compatibility reasons.

09 Repeat steps no. 6 – 8 for every public DNS zone deployed within the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-frontend-app-123123
cc-backend-app-112233

03 Run dns managed-zones list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom filtering to describe the name and the visibility of each DNS managed zone created for the selected project:

gcloud dns managed-zones list
	--project cc-frontend-app-123123
	--format="table(name,visibility)"

04 The command output should return the requested Google Cloud DNS zone metadata:

NAME                       VISIBILITY
cloudrealisation-dns-zone  public
cloudconformity-dns-zone   public

05 Run dns managed-zones describe command (Windows/macOS/Linux) using the name of the public DNS managed zone that you want to examine as identifier parameter and custom query filters to describe the DNSSEC extension configuration available for the selected DNS zone:

gcloud dns managed-zones describe cloudrealisation-dns-zone
	--format="json(dnssecConfig)"

06 The command output should return the requested configuration information in JSON format:

{
  "dnssecConfig": {
    "defaultKeySpecs": [
      {
        "algorithm": "rsasha1",
        "keyLength": 1024,
        "keyType": "keySigning",
        "kind": "dns#dnsKeySpec"
      },
      {
        "algorithm": "rsasha1",
        "keyLength": 1024,
        "keyType": "zoneSigning",
        "kind": "dns#dnsKeySpec"
      }
    ],
    "kind": "dns#managedZoneDnsSecConfig",
    "nonExistence": "nsec3",
    "state": "on"
  }
}

Check the DNSSEC configuration object with the "keyType" property value set to "zoneSigning". If the dns managed-zones describe command output returns "rsasha1" as the value of the dnssecConfig.defaultKeySpecs.algorithm attribute, as shown in the example above, the DNSSEC Zone-Signing Key (ZSK) algorithm configured for the selected DNS managed zone is considered deprecated and insecure, and should not be used unless it is required for compatibility reasons.

07 Repeat step no. 5 and 6 for every public DNS zone created within the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To reconfigure the Zone-Signing Key (ZSK) algorithm used by the DNSSEC security feature, perform the following operations:

Note: Changing the DNSSEC Zone-Signing Key (ZSK) algorithm using the Google Cloud Console is not currently supported.

Using GCP CLI

01 If DNSSEC feature is already enabled for the DNS zone that you want to reconfigure, to make configuration changes, first disable the feature, make the required changes, and then re-enable DNSSEC with the desired configuration. Run dns managed-zones update command (Windows/macOS/Linux) using the name of the public DNS zone that you want to reconfigure as identifier parameter (see Audit section part II to identify the right zone), to disable the DNSSEC feature for the selected DNS zone:

gcloud dns managed-zones update cloudrealisation-dns-zone
	--dnssec-state off

02 The command output should return the update process status for the selected DNS zone:

Updating managed zone [cloudrealisation-dns-zone]...done.

03 The supported DNSSEC algorithm options and key lengths are available on this Google Cloud documentation page. These are also listed in the following table:

Algorithm name     KSK lengths   ZSK lengths
---------------    -----------   -----------

RSASHA1            1024, 2048    1024, 2048
RSASHA256          1024, 2048    1024, 2048
RSASHA512          1024, 2048    1024, 2048
ECDSAP256SHA256    256           256
ECDSAP384SHA384    384           384

04 Run dns managed-zones update command (Windows/macOS/Linux) using the name of the public DNS zone that you want to reconfigure as identifier parameter, to change the Zone-Signing Key (ZSK) algorithm by updating the DNSSEC feature configuration just before enabling it for the selected zone. The following command request example, sets the Zone-Signing Key algorithm to "RSASHA256" and the key length to 1024. For more ZSK algorithm and key lengths options see the table listed at step no. 3:

gcloud dns managed-zones update cloudrealisation-dns-zone
	--dnssec-state on
	--zsk-algorithm rsasha256
	--zsk-key-length 1024
	--ksk-algorithm rsasha256
	--ksk-key-length 2048
	--denial-of-existence nsec3

05 The command output should return the update process status for the selected DNS zone:

Updating managed zone [cloudrealisation-dns-zone]...done.

06 Repeat step no. 1 – 5 to change the DNSSEC ZSK algorithm for other public DNS zones available within the selected Google Cloud Platform (GCP) project.

07 Repeat steps no. 1 – 6 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 12, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for DNSSEC Zone-Signing Algorithm in Use

Risk level: Medium