Ensure GCP Cloud DNS has DNSSEC enabled

Error: GCP Cloud DNS has DNSSEC disabled

Bridgecrew Policy ID: BC_GCP_NETWORKING_5
Checkov Check ID: CKV_GCP_16
Severity: MEDIUM

GCP Cloud DNS has DNSSEC disabled


DNSSEC is a feature of the Domain Name System that authenticates responses to domain name lookups. DNSSEC prevents attackers from manipulating or poisoning the responses to DNS requests.

We recommend you ensure DNSSEC is enabled in: any public DNS zone, the top level domain registry, and in the local DNS resolvers.



If visibility is set to private, then DNSSEC cannot be set, and this policy will pass.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Click the DNSSEC setting for the existing managed zone.
  3. Select "On" in the pop-up menu.
  4. In the confirmation dialog, click Enable.

CLI Command

You can enable DNSSEC for existing managed zones using the gcloud command line tool or the API:
gcloud dns managed-zones update EXAMPLE_ZONE --dnssec-state on

Fix - Buildtime


  • Resource: google_dns_managed_zone
  • Argument: dnssec_config (Optional)
    DNSSEC configuration Structure is documented below.
resource "google_dns_managed_zone" "example" {
        description  = "Company Domain name"
        dns_name     = "example.com."
      + dnssec_config { # forces replacement
          + kind          = "dns#managedZoneDnsSecConfig" # forces replacement
          + non_existence = "nsec3" # forces replacement
          + state         = "on" # forces replacement