GCP Professional Cloud Security Engineer Practice Question
Your company hosts the public DNS zone corp.example in Cloud DNS. After investigating recent cache-poisoning attempts, the security team asks you to implement a control that allows validating recursive resolvers on the internet to cryptographically verify that the answers they receive for corp.example are authentic and untampered. The operations team wants a solution that minimizes ongoing key-management overhead for them. What should you do?
Enable DNSSEC for the Cloud DNS managed zone, rely on Cloud DNS to create and automatically rotate the ZSK, manually manage the KSK, and publish the generated DS record with the domain registrar.
Enforce DNS over TLS for all clients and block UDP/53 on the corporate firewall to prevent on-path tampering of DNS responses.
Deploy secondary authoritative DNS servers in another project and front them with Cloud CDN so cached DNS responses remain available during outages.
Enable Cloud DNS query logging and create Cloud Logging alerts to detect suspicious NXDOMAIN or SERVFAIL spikes indicating cache-poisoning attempts.
Turning on DNSSEC for the Cloud DNS public zone instructs Cloud DNS to sign each resource-record set with RRSIG records that validating resolvers can check against the zone's DNSKEY records, protecting against spoofing and cache poisoning. When DNSSEC is enabled, Cloud DNS automatically creates and can automatically rotate the Zone-Signing Keys (ZSKs). You must still create (and periodically rotate) the Key-Signing Key (KSK) manually and publish the associated Delegation Signer (DS) record at your domain registrar to complete the chain of trust. Solutions based solely on encrypted transport (DoT/DoH), logging, or caching do not provide the cryptographic data-integrity guarantees required. Therefore, enabling DNSSEC with Cloud-managed ZSKs and manually publishing the DS record provides strong authenticity with minimal ongoing effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNSSEC and why is it important?
Open an interactive chat with Bash
What is the difference between ZSK and KSK in DNSSEC?
Open an interactive chat with Bash
What is cache poisoning in DNS and how does DNSSEC prevent it?
Open an interactive chat with Bash
What is DNSSEC and how does it work?
Open an interactive chat with Bash
What is the difference between ZSK and KSK in DNSSEC?
Open an interactive chat with Bash
Why is DNS over TLS (DoT) or DNS over HTTPS (DoH) insufficient for cache poisoning protection?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .