🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.dnssec_prevent_rsasha1_ksk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.dnssec_prevent_rsasha1_ksk --share

SQL

This control uses a named query:

  select
  self_link resource,
  case
    when visibility = 'private' then 'skip'
    when dnssec_config_state is null then 'alarm'
    when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]' then 'alarm'
    else 'ok'
  end as status,
  case
    when visibility = 'private'
      then title || ' is private.'
    when dnssec_config_state is null
      then title || ' DNSSEC not enabled.'
    when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]'
      then title || ' using RSASHA1 algorithm for key-signing.'
    else title || ' not using RSASHA1 algorithm for key-signing.'
  end as reason
  
  , project as project
from
  gcp_dns_managed_zone;

Tags

category = Compliance
cft_scorecard_v1 = true
nist_800_53_rev_5 = true
nist_csf_v10 = true
plugin = gcp
service = GCP/DNS
severity = high
soc_2_2017 = true