GCP Professional Cloud Security Engineer Practice Question
Your company hosts the public DNS zone payments.example in Cloud DNS. DNSSEC is enabled (state On) and the current registrar holds the zone's DS record. You need to move the domain to a different registrar, and compliance policy requires that DNSSEC validation must not fail at any time during the transfer. Which single change in Cloud DNS best meets this goal before you begin the registrar transfer?
Disable DNSSEC (set the state to Off), wait for one TTL to expire, migrate the domain, then re-enable DNSSEC at the new registrar.
Keep the DNSSEC state On and recreate the same DS record at the new registrar after the transfer completes.
Change the managed zone's DNSSEC state from On to Transfer, then proceed with the registrar move and add the existing DS record at the new registrar.
Generate a new key-signing key in Cloud DNS, publish its DS record at both registrars, and delete the old key after the transfer.
Switching the managed zone's DNSSEC state from On to Transfer is the most reliable way to keep DNSSEC validation intact during a registrar move. In Transfer state, Cloud DNS continues to sign the zone with the existing key-signing (KSK) and zone-signing (ZSK) keys but pauses automatic key rollovers. Because the key material stays the same, the DS record that is already published at the current registrar remains valid and can be copied to the new registrar after the transfer. Leaving DNSSEC in the On state risks an automatic key rollover introducing a new KSK that the gaining registrar has not yet published, breaking validation. Disabling DNSSEC would stop further signing; once the existing RRSIG records expire, validators would fail queries unless the DS record were removed, which violates the requirement to keep validation active. Generating a new KSK and coordinating DS records across registrars adds unnecessary complexity and potential for error. Therefore, placing the zone in Transfer state before initiating the registrar change best satisfies the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNSSEC and why is it important for DNS validation?
Open an interactive chat with Bash
What does the DNSSEC 'Transfer' state mean in Cloud DNS?
Open an interactive chat with Bash
What is a DS record and how does it relate to DNSSEC?
Open an interactive chat with Bash
What is DNSSEC and why is it important for DNS zones?
Open an interactive chat with Bash
What happens in the DNSSEC Transfer state in Cloud DNS?
Open an interactive chat with Bash
What is a DS record in DNSSEC, and why does it matter during a registrar transfer?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .