GCP Professional Cloud Security Engineer Practice Question
Your company hosts the public DNS zone "contoso.com" in Cloud DNS. Security requires DNSSEC to protect against cache-poisoning attacks. You change the zone's dnssec_state from "off" to "on" using Terraform and select the RSASHA256 key algorithm. The apply completes and a key-signing key now appears in the Cloud DNS console, yet public resolvers still mark the zone as "insecure." What action must you take to finish the DNSSEC rollout?
Submit the DS record provided by Cloud DNS to the domain registrar so the .com parent zone publishes it.
Manually add DNSKEY and RRSIG records to the zone file so validators can see the signatures.
Create an asymmetric key in Cloud KMS and upload its public portion to Cloud DNS as an external KSK.
Enable DNSSEC validation on every internal and external recursive resolver that queries the zone.
Cloud DNS automatically publishes DNSKEY and RRSIG records after you enable DNSSEC, but the chain of trust is not complete until the parent zone (.com) advertises that the child zone is signed. You do this by adding the DS (Delegation Signer) record that Cloud DNS generates to the domain's registrar. Without that DS record, validating resolvers have no way to verify signatures, so the zone remains insecure. Manually creating DNSKEY/RRSIG records is unnecessary because Cloud DNS manages them. Client-side resolvers do not need special configuration beyond normal DNSSEC validation, and Cloud DNS does not support importing an external Cloud KMS key as a KSK.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNSSEC and why is it important?
Open an interactive chat with Bash
What is a DS record and how does it complete the DNSSEC chain of trust?
Open an interactive chat with Bash
Why can’t DNSSEC validation be completed by just enabling DNSSEC in Cloud DNS?
Open an interactive chat with Bash
What is DNSSEC?
Open an interactive chat with Bash
What is a DS record and why is it important for DNSSEC?
Open an interactive chat with Bash
Why does the parent zone (.com) need to publish the DS record?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .