DNS managed zone DNSSEC should be enabled


Attackers can hijack the process of domain/IP lookup and redirect users to a malicious site. Domain Name System Security Extensions (DNSSEC) cryptographically signs DNS records and can help prevent attackers from issuing fake DNS responses that redirect browsers.

Remediation Steps

Google Cloud Console

  • Navigate to Cloud DNS.

  • For each zone of Type Public, set DNSSEC to On.

gcloud CLI

  • To enable DNSSEC for a zone:

    • gcloud dns managed-zones update ZONE_NAME --dnssec-state on