Skip to content

GCP Cloud DNS has DNSSEC disabled


DNSSEC is a feature of the Domain Name System that authenticates responses to domain name lookups. DNSSEC prevents attackers from manipulating or poisoning the responses to DNS requests.

We recommend you ensure DNSSEC is enabled in: any public DNS zone, the top level domain registry, and in the local DNS resolvers.

📘 Note

If visibility is set to private, then DNSSEC cannot be set, and this policy will pass.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at
  2. Click the DNSSEC setting for the existing managed zone.
  3. Select "On" in the pop-up menu.
  4. In the confirmation dialog, click Enable.

CLI Command

You can enable DNSSEC for existing managed zones using the gcloud command line tool or the API:
gcloud dns managed-zones update EXAMPLE_ZONE --dnssec-state on

Fix - Buildtime


  • Resource: google_dns_managed_zone
  • Argument: dnssec_config (Optional)
    DNSSEC configuration Structure is documented below.
resource "google_dns_managed_zone" "example" {
        description  = "Company Domain name"
        dns_name     = ""

      + dnssec_config { # forces replacement
          + kind          = "dns#managedZoneDnsSecConfig" # forces replacement
          + non_existence = "nsec3" # forces replacement
          + state         = "on" # forces replacement