This article is a journal of my path to take the Google Professional Cloud Security Engineer Recertification. I plan to track my progress, resources and post exam tips.
Date created: March 2, 2021
Last updated: March 7, 2021
Exam Completed: TBD
Part 1: Introduction
Part 2: Post Exam Review
Part 3: Daily Study
Part 4: Tips and Advice
Part 5: Final Exam
Part 1: Introduction
Two years ago, I started preparing for the Professional Cloud Security Engineer certification. I wrote an in-depth article covering my preparation for the exam and my exam experience. I took the certification during the beta period, so I had to wait for the results. Passing that certification exam opened the door to lots of opportunities and I have studied and implemented security for Google Cloud almost every day since.
I just received an email notification from Google, that I must recertify by March 29, 2021. I could probably pass the exam with no additional preparation, but I like to be prepared. This is also the perfect reason to reevaluate everything related to Google Cloud security and polish those areas that I do not work with every day. When I prepared for the beta exam, I spent ten days preparing. This time I have almost a month to prepare.
Define the objectives:
- Pass the recertification.
- Improve my security knowledge.
- Pick three Google Cloud security services that I am weak with and improve significantly.
Define the requirements to meet the objectives:
- I am guessing, but I think two hours each day, four days per week for the core exam. Given three weeks, this is 24 hours of focused preparation.
- Spend two to four hours once per week on a service that I am weak with. Three services, six to twelve more hours of focused preparation.
Define the strategy:
- Let my family and friends know about my plans. Ask for their support and understanding.
- Review the Exam Guide.
- For each study period:
- 30 minutes reading documentation.
- 30 minutes watching Google, Pluralsight, and/or YouTube videos on the latest services and features.
- 60 minutes in the Google Cloud Console deploying and practicing with security services.
- Select six whitepapers to study in-depth.
- Bonus work: study several new security-related APIs and write some sample code.
Summary:
Over the past two years, I focused on my weak areas from the last exam and applied what I know as part of my job. I am very comfortable with security in general and with the low-level details of Google Cloud. I do not expect any difficulties passing the recertification.
[I will update this article often as I prepare for the exam].
Part 2: Post Exam Review
To be written.
Part 3: Daily Study
March 2, 2021 – Day #1 – Preparation Start + DNSSEC
- Today I started by getting organized. I placed a 2-foot x 4-foot folding table next to my desk. Cleaned the table, located a new spiral notebook, small notepads, pens, and my favorite bookmarks. I previously ordered a new TaoTronics LED lamp and I placed this lamp on the table. Perfect light for reading. I located my books on security, books on Google Cloud and organized everything on the table. I have a 43 inch 4K TV and soundbar that I plan to watch YouTube videos on. Great screen resolution and very easy on the eyes. Much better than a monitor and headphones.
- A thorough review of the certification exam guide. I printed this document and then checked off every area I was not at an advanced level with. I then narrowed down this list to twelve areas to focus on, one per day. I wish I would have kept the exam guide from two years ago so that I could compare. I created a PDF copy today for recertification work in two years.
- Review the Google Cloud resources that are available. One item that stands out: Solve with Google. I entered “security” in the search area and a number of articles stand out as must-reads. I will list these later after I select a few that meet my objectives.
Today I decided to start with DNSSEC. DNSSEC is on the Exam Guide. I am currently studying Google Cloud DNS Internationalized Domain Names (IDN), so adding DNSSEC is a logical continuation. I will also study some of the past vulnerabilities that caused the industry to create the Domain Name Security Extensions (DNSSEC). A quick Google search for “google cloud dnssec” turned up a lot of Google authored articles. I have some serious reading to do. This will exceed my per topic allocated time, so I will add more time to my studies.
I am already comfortable with DNSSEC as I have deployed DNSSEC for several domains including my own. However, I need to put more effort into mastering this topic and technology. There is no better time to start than right now. I also plan to document the steps to set up DNSSEC on one of my practice domains and write code to validate DNSSEC.
DNSSEC Resources:
- YouTube:
- DNSSEC What it is and what it isn’t (40 minutes)
- This is a great video that I recommend that everyone watches. Great speaker, very interesting security topics. This video will have you thinking about DNS, MFA, nation-state hackers, and more. This video alone now makes me seriously consider DNSSEC for all domains.
- DNSSEC Tutorial (87 minutes)
- This is a great video on DNSSEC. The speaker is an expert with years of experience. It took me three hours to watch the first 45 minutes. I took so many notes and repeated so many sections that a 90-minute video will take six hours to complete.
- DNSSEC What it is and what it isn’t (40 minutes)
Summary
Total time: 4 hours.
I spent a lot of time this evening watching the two videos and taking a lot of notes. More than I planned. These videos really motivated me to go deeper into DNS, DNSSEC, BGP, SSL, and MFA. Often, I feel burned out after a long session. These topics have me motivated to dig deeper.
March 3, 2021 – Day #2 – DNSSEC
Today, I studied the Google Cloud documentation listed below, with a focus on “Using advanced DNSSEC”. I then decided to take my domain jhanley.org, which already has DNSSEC enabled, and practice creating “delegated subzones” so that I can go thru the entire process of setting up DNSSEC including creating the DS record in the parent zone. I wrote commands using the CLI gcloud and HashiCorp Terraform. Terraform makes creating delegated subzones very easy. I plan to publish an article on using Terraform for delegated subzones tomorrow.
The following is a sample of the Terraform code created today:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
terraform { required_version = ">= 0.14.7" } provider "google" { credentials = var.gcp_service_account project = var.gcp_project region = var.gcp_region } resource "google_dns_managed_zone" "gcp_child_zone" { name = var.zonename dns_name = var.dnsname project = var.gcp_project description = "Managed by Terraform, Delegated Subzone" } data "google_dns_managed_zone" "gcp_parent_zone" { name = var.parent-zonename } resource "google_dns_record_set" "dns-ns" { name = var.dnsname managed_zone = var.parent-zonename type = "NS" ttl = "21600" rrdatas = [for ns in google_dns_managed_zone.gcp_child_zone.name_servers: ns ] depends_on = [google_dns_managed_zone.gcp_child_zone] } resource "google_dns_record_set" "dns-www" { name = var.www-dnsname managed_zone = var.zonename type = "CNAME" ttl = "300" rrdatas = [var.www-dnscname] } |
DNSSEC Resources:
- Google Cloud Documentation:
- Supplemental Information:
Summary
Total time: 4 hours.
I quickly became bored reading documentation today. By the time I finished reading Using advanced DNSSEC, I wanted to deploy something. Tomorrow I plan to continue practicing with DNSSEC now that I have Terraform code for creating and deleting delegated subzones.
March 4, 2021 – Day #3 – DNSSEC
Today, I continued my deep dive into DNS Delegated Subzones. With the Terraform code that I created yesterday, I can now quickly create and destroy a delegated subzone.
Using the CLI, I enabled DNSSEC on the subzone and created the DS Resource Record in the parent zone. I am very glad that I continued this path as the mystery of enabling DNSSEC is gone. If your DNS servers are Google Cloud DNS, this process is easy. I started an in-depth article on this process that I will publish this weekend. My last step is to complete the Terraform code that does everything. This includes creating the delegated subzone, enabling DNSSEC, and publishing the DS record in the parent zone. With the Terraform code, creating a DNSSEC enabled delegated subzone becomes a simple process of entering values for the Terraform variables. Maybe I will go one step further and create a Python or C# program to do everything.
Now that I understand how to enable DNSSEC and create the required records, the next major item is how to validate DNSSEC programmatically. I guess that validation is not required for the exam, so I will make that task extra credit for personal benefit.
DNSSEC Resources:
- Google Cloud Documentation:
- Activating DNSSEC for Cloud DNS domains
- This is a good document that goes into additional details about enabling and activating DNSSEC with Google Cloud DNS.
- A section on Domain registrar-specific instructions.
- Out of date information about Amazon Route 53 – Route 53 now supports DNSSEC for hosted zones. link
- Activating DNSSEC for Cloud DNS domains
Below are the major steps to enable and activate DNSSEC. The parent domain is jhanley.org which already has DNSSEC enabled. The subzone is dnssec.jhanley.org. The respective Google Cloud DNS Server zone names are jhanley-org and dnssec-jhanley-org.
Step 1. Enable DNSSEC for the delegated subzone
|
1 |
gcloud dns managed-zones update dnssec-jhanley-org --dnssec-state on |
DNSSEC is now enabled for the delegate subzone. Step 4 will activate DNSSEC. It takes some time for the DNS resource records to be created in Step 1. Wait a few minutes before inserting the DS resource record into the parent in Step 4 below. You can use dig to verify that each delegated subzone name server is responding with the correct records. Replace my-nameserver-x with your zone’s four name servers. The output should look like the command in Step 2.
|
1 2 3 4 |
dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-1 dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-2 dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-3 dig -t dnskey dnssec.jhanley.org +multiline @my-nameserver-4 |
Step 2. List the DNSKEYS for the delegated subzone
|
1 |
gcloud dns dns-keys list --zone dnssec-jhanley-org |
Example output
|
1 2 3 |
ID KEY_TAG TYPE IS_ACTIVE DESCRIPTION 0 9496 keySigning True 1 35664 zoneSigning True |
In the above output notice the entry for “keySigning”. You will need the ID for the next step.
A comparable dig command is:
|
1 |
dig -t dnskey dnssec.jhanley.org +multiline |
Example output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
;; ANSWER SECTION: dnssec.jhanley.org. 0 IN DNSKEY 256 3 8 ( AwEAAY42LhNrq3aTrX2AFWpTDoRbHeezydbh4QthiK94 HYHM0VY5Jgb151ynHQr7zSg5bSt7wfJayw1nPhfQ3maO 0h7ByzKTXaWnNgO3uMykZdSkS7EpSSuCUSlxLWS2qoka A/zEeYXo3WJ0BoUHT42FJpAyZKbon55P6dVMsRnrf/rr ) ; ZSK; alg = RSASHA256 ; key id = 35664 dnssec.jhanley.org. 0 IN DNSKEY 257 3 8 ( AwEAAa1Xhn05itsgy2joQ/Qb8EBOkCHAYpqEOleUYuje FfBh51uTWQPiWxgy05hSHS75YGWrBZ7hPqp8voVkdng3 94WirXcCpOl1+c9bzfrNxM/wtPTFUHxbawuB2Rhvws8o txH1FvTr9lWSdxTfd6f9+Wo9VR7tqeFyVL26MKIdn4sG UAu0a7cAjHK/l3OtYWLnwJ8vqrI3J0ARbPJcDO0H8fW1 Z3SAKZQWXX7Hlk3ISkbPrEHw1MR3pikGo+H2KWFEaQuW Z8AohH9JXu4kNTS7XD/b0n1ZjzYEKtO7xiDCK/jp2Kf7 sqA/GCxEReA51QxgMoCYucOeJ4VDGffx1NEdo8E= ) ; KSK; alg = RSASHA256 ; key id = 9496 |
Notice in the above output, dig uses key id = 9496 whereas Google Cloud DNS calls this the KEY_TAG.
Step 3. Get the DS record from the subzone. The output is used to create the DS record in the parent zone.
|
1 |
gcloud dns dns-keys describe 0 --zone dnssec-jhanley-org --format "value(ds_record())" |
Example output
|
1 |
9496 8 2 95AB1B3B0AA0FA83E3EEF7285D7EE2E75DE26196D9CFF78B540FF684FA00BDBA |
In the above output, save the entire line.
DS records have the following data elements:
- Key Tag: A short numeric value that can help quickly identify the referenced DNSKEY-record.
- Algorithm: The algorithm of the referenced DNSKEY-record.
- Digest Type: Cryptographic hash algorithm used to create the Digest value.
- Digest: A cryptographic hash value of the referenced DNSKEY-record.
- The digest is calculated by concatenating the canonical form of the fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, and then applying the digest algorithm.
Reference: Resource Records for the DNS Security Extensions – RFC 4034
In my example:
- 9496 is the Key Tag.
- 8 is the Algorithm, which is RSA/SHA-256.
- 2 is the Digest Type, which is SHA-256.
- 95AB1… is the Digest.
- Reference: RFC 4034 The Digest Field
Step 4. Add the DS Resource Record to the parent zone
Google Cloud DNS uses Record-Sets transactions. The first command starts a transaction, which is stored in the file transaction.yaml and the third command executes the transactions stored in transactions.yaml and deletes the file.
Notice the output from Step 3 is used in the second command as the RRDATAS command argument.
|
1 2 3 |
gcloud dns record-sets transaction start --zone jhanley-org gcloud dns record-sets transaction add --zone jhanley-org --ttl 300 --type DS --name dnssec.jhanley.org "9496 8 2 95AB1B3B0AA0FA83E3EEF7285D7EE2E75DE26196D9CFF78B540FF684FA00BDBA" gcloud dns record-sets transaction execute --zone jhanley-org |
DNSSEC Online Validation Tools:
- Versign Labs: DNSSEC Analyzer.
- Sandia National Laboratories: DNSViz.
Interesting sites that display DNSSEC information:
- GWhois – Very interesting detail for domains with DNSSEC enabled.
- Google Public DNS Displays the DNS server responses and performs DNSSEC validation. Very interesting.
Other interesting sites:
- Google Public DNS Flush Cache – Refresh the Google Public DNS cache for a domain. Useful when you change registrars or name servers.
- DNS Checker – Verify that your DNS resource records have propagated from multiple global locations. Might be a good way to check if the DNSKEY resource records have propagated.
Benefits of using Google Cloud DNS for DNSSEC
- Google creates the Key Signing Key (KSK) and Zone Signing Key (ZSK) for you and inserts them into your zone as the DNSKEY.
- Google manages Zone Signing Key rotation.
- Google generates the Delegation Signer (DS) record for manual insertion into the parent zone.
Google Cloud DNS does everything for you to activate DNSSEC in your zone. This can be done with a single CLI command. The last step, enabling DNSSEC, requires inserting the DS resource record into the parent zone. The parent zone must also have DNSSEC enabled.
Google Cloud DNS Pricing
Each time I review a service, I investigate the pricing. This is a good habit so that you know how to balance your designs with real-world costs. I also do not want billing surprises on my personal accounts.
I could not find information about pricing for DNSSEC. The pricing for Google Cloud DNS is published. My unofficial understanding is that DNSSEC is not an additional charge above cost of queries. In summary, Google Cloud DNS charges per managed zone and per DNS query. Managed zones are $0.20 per month (1-25) and queries are $0.40 per million per month. You can practice with DNS zones and DNSSEC for less than $1.00.
Summary
Total time: 4 hours.
My study and practice tonight was very interesting. The mystery surrounding DNSSEC is gone and I understand the DNS resource records, their formats, and how they are used. Google Cloud DNS hides some of these records in the Google Cloud Console, but these resource records are available to the CLI and network tools such as dig. Tomorrow I will work on the Terraform code that does everything for a delegated subzone (creation, enable DNSSEC, create the correct DNS resource records in parent zone and subzone.
March 5, 2021 – Day #4 – DNSSEC
Today, I continued my deep dive into DNS Delegated Subzones. I completed the Terraform code that creates a delegated subdomain and activates and enables DNSSEC. Tomorrow I will create a GitHub repository and publish the code. I also spent time improving the text and references for what I previously wrote.
Tomorrow I will improve this section on today’s progress.
The following is a sample of the Terraform code created today. I have the code broken into three files: variables.tf, main.tf and outputs.tf. The following is the main.tf source. All three files plus a README.md will be put on GitHub this weekend.
This example assumes that the parent zone (example.com) is hosted in Google Cloud DNS and already has DNSSEC activated. This code creates a child domain (subdomain.example.com), enables DNSSEC, and pushes the DS record to the parent zone which activates DNSSEC for the child domain. You can compare this version with the version published two days ago to see the exact changes necessary to activate and enable DNSSEC.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
terraform { required_version = ">= 0.14.7" } provider "google" { credentials = var.gcp_service_account project = var.gcp_project region = var.gcp_region } resource "google_dns_managed_zone" "gcp_child_zone" { name = var.zonename dns_name = var.dnsname project = var.gcp_project description = "Managed by Terraform, Delegated Subzone" dnssec_config { state = "on" non_existence = "nsec3" } } data "google_dns_keys" "gcp_child_dns_keys" { managed_zone = var.zonename depends_on = [google_dns_managed_zone.gcp_child_zone] } data "google_dns_managed_zone" "gcp_parent_zone" { name = var.parent-zonename } resource "google_dns_record_set" "dns-ns" { name = var.dnsname managed_zone = var.parent-zonename type = "NS" ttl = "300" rrdatas = [for ns in google_dns_managed_zone.gcp_child_zone.name_servers: ns ] depends_on = [google_dns_managed_zone.gcp_child_zone] } resource "google_dns_record_set" "dns-ds" { name = var.dnsname managed_zone = var.parent-zonename type = "DS" ttl = "300" rrdatas = [data.google_dns_keys.gcp_child_dns_keys.key_signing_keys[0].ds_record] } resource "google_dns_record_set" "dns-www" { name = "www.${var.dnsname}" managed_zone = var.zonename type = "CNAME" ttl = "300" rrdatas = [var.www-dnscname] depends_on = [google_dns_managed_zone.gcp_child_zone] } |
Summary
Total time: 2 hours.
March 6, 2021 – Day #5 – Terraform + Cloud DNS + Cloud IAM
Before being notified about needing to recertify for security, I had already booked the HashiCorp Certified: Terraform Associate for March 29 at 3 PM. I do not want to reschedule that exam, so I will prepare for both the Terraform and Security certifications at the same time. This is also a good opportunity to use Terraform for security services where possible. I wrote another article documenting my practice with Terraform in a new article: Terraform – Experiments with Google Cloud DNS and IAM.
Summary
Total time: 6 hours.
[To be continued]
Part 4: Tips & Advice
To be written.
Part 5: Final Exam
To be written.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
April 16, 2021 at 12:12 PM
This is great, thank you for sharing. What is your preferred way to take notes? i.e. pen/paper, note taking app?
April 19, 2021 at 4:35 PM
For me, I find that writing things down on paper helps to reinforce my memory. Once I have written down a concept, I then read it aloud a couple of times. I can still remember notes written years ago with that method.