DNS managed zone DNSSEC key-signing keys should not use RSASHA1


Domain Name System Security Extensions (DNSSEC) algorithm numbers may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The key-signing key algorithm should be strong, and RSASHA1 is no longer considered secure. Use it only for compatibility reasons.

Remediation Steps

Google Cloud Console

Remediation is not possible through the Google Cloud Console. Use the gcloud CLI instead.

gcloud CLI

If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.

  • To turn off DNSSEC:

    • gcloud dns managed-zones update ZONE_NAME --dnssec-state off

  • To update key-signing for a reported managed DNS Zone:

    • gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE