This article is a journal of my path to take the Google Professional Cloud Security Engineer Recertification. I plan to track my progress, resources and post exam tips.

Date created: March 2, 2021
Last updated: March 7, 2021
Exam Completed: TBD

Part 1: Introduction
Part 2: Post Exam Review
Part 3: Daily Study
Part 4: Tips and Advice
Part 5: Final Exam

Part 1: Introduction

Two years ago, I started preparing for the Professional Cloud Security Engineer certification. I wrote an in-depth article covering my preparation for the exam and my exam experience. I took the certification during the beta period, so I had to wait for the results. Passing that certification exam opened the door to lots of opportunities and I have studied and implemented security for Google Cloud almost every day since.

I just received an email notification from Google, that I must recertify by March 29, 2021. I could probably pass the exam with no additional preparation, but I like to be prepared. This is also the perfect reason to reevaluate everything related to Google Cloud security and polish those areas that I do not work with every day. When I prepared for the beta exam, I spent ten days preparing. This time I have almost a month to prepare.

Define the objectives:

  • Pass the recertification.
  • Improve my security knowledge.
  • Pick three Google Cloud security services that I am weak with and improve significantly.

Define the requirements to meet the objectives:

  • I am guessing, but I think two hours each day, four days per week for the core exam. Given three weeks, this is 24 hours of focused preparation.
  • Spend two to four hours once per week on a service that I am weak with. Three services, six to twelve more hours of focused preparation.

Define the strategy:

  • Let my family and friends know about my plans. Ask for their support and understanding.
  • Review the Exam Guide.
  • For each study period:
    • 30 minutes reading documentation.
    • 30 minutes watching Google, Pluralsight, and/or YouTube videos on the latest services and features.
    • 60 minutes in the Google Cloud Console deploying and practicing with security services.
  • Select six whitepapers to study in-depth.
  • Bonus work: study several new security-related APIs and write some sample code.

Summary:

Over the past two years, I focused on my weak areas from the last exam and applied what I know as part of my job. I am very comfortable with security in general and with the low-level details of Google Cloud. I do not expect any difficulties passing the recertification.

[I will update this article often as I prepare for the exam].

Part 2: Post Exam Review

To be written.

Part 3: Daily Study
March 2, 2021 – Day #1 – Preparation Start + DNSSEC
  • Today I started by getting organized. I placed a 2-foot x 4-foot folding table next to my desk. Cleaned the table, located a new spiral notebook, small notepads, pens, and my favorite bookmarks. I previously ordered a new TaoTronics LED lamp and I placed this lamp on the table. Perfect light for reading. I located my books on security, books on Google Cloud and organized everything on the table. I have a 43 inch 4K TV and soundbar that I plan to watch YouTube videos on. Great screen resolution and very easy on the eyes. Much better than a monitor and headphones.
  • A thorough review of the certification exam guide. I printed this document and then checked off every area I was not at an advanced level with. I then narrowed down this list to twelve areas to focus on, one per day. I wish I would have kept the exam guide from two years ago so that I could compare. I created a PDF copy today for recertification work in two years.
  • Review the Google Cloud resources that are available. One item that stands out: Solve with Google. I entered “security” in the search area and a number of articles stand out as must-reads. I will list these later after I select a few that meet my objectives.

Today I decided to start with DNSSEC. DNSSEC is on the Exam Guide. I am currently studying Google Cloud DNS Internationalized Domain Names (IDN), so adding DNSSEC is a logical continuation. I will also study some of the past vulnerabilities that caused the industry to create the Domain Name Security Extensions (DNSSEC). A quick Google search for “google cloud dnssec” turned up a lot of Google authored articles. I have some serious reading to do. This will exceed my per topic allocated time, so I will add more time to my studies.

I am already comfortable with DNSSEC as I have deployed DNSSEC for several domains including my own. However, I need to put more effort into mastering this topic and technology. There is no better time to start than right now. I also plan to document the steps to set up DNSSEC on one of my practice domains and write code to validate DNSSEC.

DNSSEC Resources:

  • YouTube:
    • DNSSEC What it is and what it isn’t (40 minutes)
      • This is a great video that I recommend that everyone watches. Great speaker, very interesting security topics. This video will have you thinking about DNS, MFA, nation-state hackers, and more. This video alone now makes me seriously consider DNSSEC for all domains.
    • DNSSEC Tutorial (87 minutes)
      • This is a great video on DNSSEC. The speaker is an expert with years of experience. It took me three hours to watch the first 45 minutes. I took so many notes and repeated so many sections that a 90-minute video will take six hours to complete.

Summary

Total time: 4 hours.

I spent a lot of time this evening watching the two videos and taking a lot of notes. More than I planned. These videos really motivated me to go deeper into DNS, DNSSEC, BGP, SSL, and MFA. Often, I feel burned out after a long session. These topics have me motivated to dig deeper.

March 3, 2021 – Day #2 – DNSSEC

Today, I studied the Google Cloud documentation listed below, with a focus on “Using advanced DNSSEC”. I then decided to take my domain jhanley.org, which already has DNSSEC enabled, and practice creating “delegated subzones” so that I can go thru the entire process of setting up DNSSEC including creating the DS record in the parent zone. I wrote commands using the CLI gcloud and HashiCorp Terraform. Terraform makes creating delegated subzones very easy. I plan to publish an article on using Terraform for delegated subzones tomorrow.

The following is a sample of the Terraform code created today:

terraform {
  required_version = ">= 0.14.7"
}

provider "google" {
  credentials = var.gcp_service_account
  project     = var.gcp_project
  region      = var.gcp_region
}

resource "google_dns_managed_zone" "gcp_child_zone" {
  name              = var.zonename
  dns_name          = var.dnsname
  project           = var.gcp_project
  description       = "Managed by Terraform, Delegated Subzone"
}

data "google_dns_managed_zone" "gcp_parent_zone" {
  name = var.parent-zonename
}

resource "google_dns_record_set" "dns-ns" {
  name         = var.dnsname
  managed_zone = var.parent-zonename
  type         = "NS"
  ttl          = "21600"
  rrdatas      = [for ns in google_dns_managed_zone.gcp_child_zone.name_servers: ns ]
  depends_on   = [google_dns_managed_zone.gcp_child_zone]
}

resource "google_dns_record_set" "dns-www" {
  name         = var.www-dnsname
  managed_zone = var.zonename
  type         = "CNAME"
  ttl          = "300"
  rrdatas      = [var.www-dnscname]
}

 

DNSSEC Resources:

Summary

Total time: 4 hours.

I quickly became bored reading documentation today. By the time I finished reading Using advanced DNSSEC, I wanted to deploy something. Tomorrow I plan to continue practicing with DNSSEC now that I have Terraform code for creating and deleting delegated subzones.

March 4, 2021 – Day #3 – DNSSEC

Today, I continued my deep dive into DNS Delegated Subzones. With the Terraform code that I created yesterday, I can now quickly create and destroy a delegated subzone.

Using the CLI, I enabled DNSSEC on the subzone and created the DS Resource Record in the parent zone. I am very glad that I continued this path as the mystery of enabling DNSSEC is gone. If your DNS servers are Google Cloud DNS, this process is easy. I started an in-depth article on this process that I will publish this weekend. My last step is to complete the Terraform code that does everything. This includes creating the delegated subzone, enabling DNSSEC, and publishing the DS record in the parent zone. With the Terraform code, creating a DNSSEC enabled delegated subzone becomes a simple process of entering values for the Terraform variables. Maybe I will go one step further and create a Python or C# program to do everything.

Now that I understand how to enable DNSSEC and create the required records, the next major item is how to validate DNSSEC programmatically. I guess that validation is not required for the exam, so I will make that task extra credit for personal benefit.

DNSSEC Resources:

  • Google Cloud Documentation:
    • Activating DNSSEC for Cloud DNS domains
      • This is a good document that goes into additional details about enabling and activating DNSSEC with Google Cloud DNS.
      • A section on Domain registrar-specific instructions.
      • Out of date information about Amazon Route 53 – Route 53 now supports DNSSEC for hosted zones. link

Below are the major steps to enable and activate DNSSEC. The parent domain is jhanley.org which already has DNSSEC enabled. The subzone is dnssec.jhanley.org. The respective Google Cloud DNS Server zone names are jhanley-org and dnssec-jhanley-org.

Step 1. Enable DNSSEC for the delegated subzone

gcloud dns managed-zones update dnssec-jhanley-org --dnssec-state on

DNSSEC is now enabled for the delegate subzone. Step 4 will activate DNSSEC. It takes some time for the DNS resource records to be created in Step 1. Wait a few minutes before inserting the DS resource record into the parent in Step 4 below. You can use dig to verify that each delegated subzone name server is responding with the correct records. Replace my-nameserver-x with your zone’s four name servers. The output should look like the command in Step 2.

dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-1
dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-2
dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-3
dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-4

Step 2. List the DNSKEYS for the delegated subzone

gcloud dns dns-keys list --zone dnssec-jhanley-org

Example output

ID  KEY_TAG  TYPE         IS_ACTIVE  DESCRIPTION
0   9496     keySigning   True
1   35664    zoneSigning  True

In the above output notice the entry for “keySigning”. You will need the ID for the next step.

A comparable dig command is:

dig -t dnskey dnssec.jhanley.org +multiline

Example output:

;; ANSWER SECTION:
dnssec.jhanley.org.   0 IN DNSKEY 256 3 8 (
                                AwEAAY42LhNrq3aTrX2AFWpTDoRbHeezydbh4QthiK94
                                HYHM0VY5Jgb151ynHQr7zSg5bSt7wfJayw1nPhfQ3maO
                                0h7ByzKTXaWnNgO3uMykZdSkS7EpSSuCUSlxLWS2qoka
                                A/zEeYXo3WJ0BoUHT42FJpAyZKbon55P6dVMsRnrf/rr
                                ) ; ZSK; alg = RSASHA256 ; key id = 35664
dnssec.jhanley.org.   0 IN DNSKEY 257 3 8 (
                                AwEAAa1Xhn05itsgy2joQ/Qb8EBOkCHAYpqEOleUYuje
                                FfBh51uTWQPiWxgy05hSHS75YGWrBZ7hPqp8voVkdng3
                                94WirXcCpOl1+c9bzfrNxM/wtPTFUHxbawuB2Rhvws8o
                                txH1FvTr9lWSdxTfd6f9+Wo9VR7tqeFyVL26MKIdn4sG
                                UAu0a7cAjHK/l3OtYWLnwJ8vqrI3J0ARbPJcDO0H8fW1
                                Z3SAKZQWXX7Hlk3ISkbPrEHw1MR3pikGo+H2KWFEaQuW
                                Z8AohH9JXu4kNTS7XD/b0n1ZjzYEKtO7xiDCK/jp2Kf7
                                sqA/GCxEReA51QxgMoCYucOeJ4VDGffx1NEdo8E=
                                ) ; KSK; alg = RSASHA256 ; key id = 9496

Notice in the above output, dig uses key id = 9496 whereas Google Cloud DNS calls this the KEY_TAG.

Step 3. Get the DS record from the subzone. The output is used to create the DS record in the parent zone.

gcloud dns dns-keys describe 0 --zone dnssec-jhanley-org --format "value(ds_record())"

Example output

9496 8 2 95AB1B3B0AA0FA83E3EEF7285D7EE2E75DE26196D9CFF78B540FF684FA00BDBA

In the above output, save the entire line.

DS records have the following data elements:

  • Key Tag: A short numeric value that can help quickly identify the referenced DNSKEY-record.
  • Algorithm: The algorithm of the referenced DNSKEY-record.
  • Digest Type: Cryptographic hash algorithm used to create the Digest value.
  • Digest: A cryptographic hash value of the referenced DNSKEY-record.
    • The digest is calculated by concatenating the canonical form of the fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, and then applying the digest algorithm.

Reference: Resource Records for the DNS Security Extensions – RFC 4034

In my example:

Step 4. Add the DS Resource Record to the parent zone

Google Cloud DNS uses Record-Sets transactions. The first command starts a transaction, which is stored in the file transaction.yaml and the third command executes the transactions stored in transactions.yaml and deletes the file.

Notice the output from Step 3 is used in the second command as the RRDATAS command argument.

gcloud dns record-sets transaction start --zone jhanley-org
gcloud dns record-sets transaction add --zone jhanley-org --ttl 300 --type DS --name dnssec.jhanley.org "9496 8 2 95AB1B3B0AA0FA83E3EEF7285D7EE2E75DE26196D9CFF78B540FF684FA00BDBA"
gcloud dns record-sets transaction execute --zone jhanley-org

DNSSEC Online Validation Tools:

Interesting sites that display DNSSEC information:

  • GWhois – Very interesting detail for domains with DNSSEC enabled.
  • Google Public DNS Displays the DNS server responses and performs DNSSEC validation. Very interesting.

Other interesting sites:

  • Google Public DNS Flush Cache – Refresh the Google Public DNS cache for a domain. Useful when you change registrars or name servers.
  • DNS Checker – Verify that your DNS resource records have propagated from multiple global locations. Might be a good way to check if the DNSKEY resource records have propagated.

Benefits of using Google Cloud DNS for DNSSEC

  • Google creates the Key Signing Key (KSK) and Zone Signing Key (ZSK) for you and inserts them into your zone as the DNSKEY.
  • Google manages Zone Signing Key rotation.
  • Google generates the Delegation Signer (DS) record for manual insertion into the parent zone.

Google Cloud DNS does everything for you to activate DNSSEC in your zone. This can be done with a single CLI command. The last step, enabling DNSSEC, requires inserting the DS resource record into the parent zone. The parent zone must also have DNSSEC enabled.

Google Cloud DNS Pricing

Each time I review a service, I investigate the pricing. This is a good habit so that you know how to balance your designs with real-world costs. I also do not want billing surprises on my personal accounts.

I could not find information about pricing for DNSSEC. The pricing for Google Cloud DNS is published. My unofficial understanding is that DNSSEC is not an additional charge above cost of queries. In summary, Google Cloud DNS charges per managed zone and per DNS query. Managed zones are $0.20 per month (1-25) and queries are $0.40 per million per month. You can practice with DNS zones and DNSSEC for less than $1.00.

Summary

Total time: 4 hours.

My study and practice tonight was very interesting. The mystery surrounding DNSSEC is gone and I understand the DNS resource records, their formats, and how they are used. Google Cloud DNS hides some of these records in the Google Cloud Console, but these resource records are available to the CLI and network tools such as dig. Tomorrow I will work on the Terraform code that does everything for a delegated subzone (creation, enable DNSSEC, create the correct DNS resource records in parent zone and subzone.

March 5, 2021 – Day #4 – DNSSEC

Today, I continued my deep dive into DNS Delegated Subzones. I completed the Terraform code that creates a delegated subdomain and activates and enables DNSSEC. Tomorrow I will create a GitHub repository and publish the code. I also spent time improving the text and references for what I previously wrote.

Tomorrow I will improve this section on today’s progress.

The following is a sample of the Terraform code created today. I have the code broken into three files: variables.tf, main.tf and outputs.tf. The following is the main.tf source. All three files plus a README.md will be put on GitHub this weekend.

This example assumes that the parent zone (example.com) is hosted in Google Cloud DNS and already has DNSSEC activated. This code creates a child domain (subdomain.example.com), enables DNSSEC, and pushes the DS record to the parent zone which activates DNSSEC for the child domain. You can compare this version with the version published two days ago to see the exact changes necessary to activate and enable DNSSEC.

terraform {
  required_version = ">= 0.14.7"
}

provider "google" {
  credentials = var.gcp_service_account
  project     = var.gcp_project
  region      = var.gcp_region
}

resource "google_dns_managed_zone" "gcp_child_zone" {
  name              = var.zonename
  dns_name          = var.dnsname
  project           = var.gcp_project
  description       = "Managed by Terraform, Delegated Subzone"
  dnssec_config {
    state           = "on"
    non_existence   = "nsec3"
  }
}

data "google_dns_keys" "gcp_child_dns_keys" {
  managed_zone = var.zonename
  depends_on   = [google_dns_managed_zone.gcp_child_zone]
}

data "google_dns_managed_zone" "gcp_parent_zone" {
  name = var.parent-zonename
}

resource "google_dns_record_set" "dns-ns" {
  name         = var.dnsname
  managed_zone = var.parent-zonename
  type         = "NS"
  ttl          = "300"
  rrdatas      = [for ns in google_dns_managed_zone.gcp_child_zone.name_servers: ns ]
  depends_on   = [google_dns_managed_zone.gcp_child_zone]
}

resource "google_dns_record_set" "dns-ds" {
  name         = var.dnsname
  managed_zone = var.parent-zonename
  type         = "DS"
  ttl          = "300"
  rrdatas      = [data.google_dns_keys.gcp_child_dns_keys.key_signing_keys[0].ds_record]
}

resource "google_dns_record_set" "dns-www" {
  name         = "www.${var.dnsname}"
  managed_zone = var.zonename
  type         = "CNAME"
  ttl          = "300"
  rrdatas      = [var.www-dnscname]
  depends_on   = [google_dns_managed_zone.gcp_child_zone]
}

Summary

Total time: 2 hours.

March 6, 2021 – Day #5 – Terraform + Cloud DNS + Cloud IAM

Before being notified about needing to recertify for security, I had already booked the HashiCorp Certified: Terraform Associate for March 29 at 3 PM. I do not want to reschedule that exam, so I will prepare for both the Terraform and Security certifications at the same time. This is also a good opportunity to use Terraform for security services where possible. I wrote another article documenting my practice with Terraform in a new article: Terraform – Experiments with Google Cloud DNS and IAM.

Summary

Total time: 6 hours.

[To be continued]

Part 4: Tips & Advice

To be written.

Part 5: Final Exam

To be written.