DNSSEC must be enabled for Cloud DNS

ID

gcp_cloud_dns_without_dnssec

Severity

low

Vendor

GCP

Resource

Network

Tags

reachable

Description

DNSSEC is a security protocol that protects domain name from spoofing and other attacks. Disabling DNSSEC for a Google Cloud DNS managed zone can expose domain to risks such as:

  • Man-in-the-middle attacks: An attacker can intercept and modify DNS queries and responses between users and servers, redirecting them to malicious sites or stealing sensitive data.

  • Cache poisoning: An attacker can inject false data into a DNS resolver’s cache, causing it to return incorrect answers for the domain.

  • Denial-of-service attacks: An attacker can flood your servers with bogus requests or prevent legitimate queries from reaching them, disrupting your online services.

To fix it, you must configure the dnssec_config.state property to on.

Learn more about this topic at DNS Security Extension overview.

Examples

---
- name: create managed zone
  google.cloud.gcp_dns_managed_zone:
    name: object
    dns_name: zone.example.com.
    description: zone
    project: project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    dnssec_config:
      kind: kind
      state: off

Mitigation / Fix

---
- name: create a managed zone
  google.cloud.gcp_dns_managed_zone:
    name: object
    dns_name: zone.example.com.
    description: zone
    project: project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    dnssec_config:
      kind: kind
      state: on