{"results":[{"id":"cloud-dns-admin-cannot-set-iam-policy","text":"`roles/dns.admin` can manage DNS records but cannot set IAM policies on zones (lacks `setIamPolicy` permission).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-alias-records-skipped-bind-export","text":"ALIAS records are skipped when exporting Cloud DNS zones to BIND format.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-at-symbol-literal","text":"The `@` symbol in Cloud DNS Console is treated literally, not as an apex alias — leave the DNS name field blank for apex records.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-bind-import-trailing-dots","text":"BIND zone file imports require trailing dots on fully qualified domain names to avoid relative-name interpretation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-cname-exclusivity","text":"If a CNAME record exists at a DNS name, no other record type can coexist at that name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-configuration-cascading-side-effects","text":"Cloud DNS configuration changes have cascading side effects that extend beyond the modified resource: enabling an outbound server policy silently disables resolution of all private zones, forwarding zones, and peering zones; DNSSEC disabling must follow a registrar-first sequence or cause resolution failures for the entire zone; and CNAME exclusivity silently prevents coexistence with any other record type at the same name — making DNS changes among the highest-blast-radius operations in GCP networking.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-cross-project-binding-same-org","text":"Cross-project binding zones work only within the same organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-disable-dnssec-registrar-first","text":"Before disabling DNSSEC on a Cloud DNS managed zone, DNSSEC must be deactivated at the domain registrar first to avoid resolution failures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-dns64-well-known-prefix","text":"DNS64 synthesizes IPv6 addresses using the Well-Known Prefix `64:ff9b::/96` per RFC 6052 and requires NAT64 via Cloud NAT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-dnssec-authentication-not-encryption","text":"DNSSEC provides authentication against spoofing and cache poisoning, not encryption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-must-empty-zone-before-delete","text":"All records except SOA and NS must be removed before a Cloud DNS zone can be deleted via gcloud.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-no-forwarding-for-public-zones","text":"Cloud DNS does not support DNS forwarding for public zones — public zones must be authoritative.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-ns-soa-auto-created-cannot-delete","text":"NS and SOA records at the zone apex are auto-created and cannot be deleted via the API; they are removed only when the zone is deleted (per RFC 1034).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-outbound-policy-disables-private-zones","text":"Using a Cloud DNS outbound server policy disables resolution of all Cloud DNS private zones, forwarding zones, peering zones, and Compute Engine internal DNS zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-reverse-lookup-zones-non-rfc1918","text":"Managed reverse lookup zones are needed for non-RFC 1918 PTR records on Compute Engine VMs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-security-limited-and-operationally-fragile","text":"Cloud DNS security is limited in scope (DNSSEC provides authentication against spoofing and cache poisoning only, not encryption) and operationally fragile (configuration changes have cascading side effects where enabling outbound server policies silently disables private zones, CNAME exclusivity creates implicit constraints) — security-relevant DNS changes can silently break zone resolution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-service-directory-zones-no-direct-records","text":"Service Directory zones cannot have records added directly — data comes from the Service Directory namespace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-shared-vpc-zones-in-host-project","text":"Shared VPC private/forwarding/peering zones must be created in the host project (or use cross-project binding in service projects).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-transactions-atomic","text":"Cloud DNS transactions group multiple record changes into an atomic unit — the entire transaction succeeds or fails.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-uses-anycast","text":"Cloud DNS uses anycast to serve zones from multiple global locations for high availability and low latency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":33,"limit":20,"offset":0}