Viewing DNSSEC Keys

A DNSKEY is a DNS record type that contains a public signing key. You may need to see the DNSKEY records in some cases—in particular, if you are migrating a DNSSEC signed zone to another DNS operator, the process in RFC 6781 requires importing the Zone-Signing Key (ZSK) and Key-Signing Key (KSK) DNSKEYs from the Cloud DNS zone into the other operator's zone.

If DNSSEC has been enabled for a zone, Cloud DNS automatically manages the creation and rotation of DNSSEC keys (DNSKEY records) and the signing of zone data with RRSIG records. Cloud DNS does not support automatic rotation of Key-Signing Keys (KSKs), as KSK rotations currently require manual interaction with the domain registrar, but does perform fully automatic Zone-Signing Key (ZSK) rotations. You can view the automatically managed DNSKEYs with the command-line tool or REST API.

Before you begin

Before you can view DNSSEC keys, you need to have already created a managed zone and enabled DNSSEC for the zone so that DNSKEY records are created.

For all the gcloud command-line examples below, you can specify the --project parameter to operate on a different project.

Displaying the current DNSKEYs

To display the current DNSKEY records for your zone:

Command line

gcloud dns dns-keys list --zone [ZONE_NAME]

This command prints all DNSKEYs in JSON format.

gcloud dns dns-keys describe --zone [ZONE_NAME] [KEY_ID]

This command prints the specified DNSKEY in JSON format.


      from apiclient import errors
      from apiclient.discovery import build


        service = build('dns', 'v1')
        response = service.dnskeys().list(project=PROJECT_NAME,
      except errors.HttpError, error:
        print 'An error occurred: %s' % error

        response = service.dnskeys().list(project=PROJECT_NAME,
      except errors.HttpError, error:
        print 'An error occurred: %s' % error

Next steps