Seems like an organizational failure, as they got conned by their 3PAO into believing that DNSSEC was a requirement for FedRAMP moderate when it's not. The disproof of this belief is that Google has FedRAMP High (for Google Cloud and Workspace) but does not use DNSSEC for google.com.
The ultimate arbiter of whether a cloud service gets used isn't FedRAMP, it's the Agency Authorizing Official. FedRAMP just makes much of the work reusable. With GCP, you can build something that obeys and uses DNSSEC without needing google.com to participate in DNSSEC.
Google Workspace is a good point though. I know there are many users of it in government... maybe some AOs are fine signing off on it even without the needed security controls, which is an option they have in their discretion with and without FedRAMP.
If you use https everywhere, you will have a server certificate with the hostname embedded in it. This is how TLS knows you’re talking to the right server.
