A DNSKEY is a DNS record type that contains a public signing key. You may need to see the DNSKEY records in some cases—in particular, if you are migrating a DNSSEC signed zone to another DNS operator, the process in RFC 6781 requires importing the Zone-Signing Key (ZSK) and Key-Signing Key (KSK) DNSKEYs from the Cloud DNS zone into the other operator's zone.
If DNSSEC has been enabled for a zone, Cloud DNS automatically manages the creation and rotation of DNSSEC keys (DNSKEY records) and the signing of zone data with RRSIG records. Cloud DNS does not support automatic rotation of Key-Signing Keys (KSKs), as KSK rotations currently require manual interaction with the domain registrar, but does perform fully automatic Zone-Signing Key (ZSK) rotations. You can view the automatically managed DNSKEYs with the command-line tool or REST API.
Before you begin
For all the
gcloud command-line examples below, you can specify the
--project parameter to operate on a different project.
Displaying the current DNSKEYs
To display the current DNSKEY records for your zone:
gcloud dns dns-keys list --zone [ZONE_NAME]
This command prints all DNSKEYs in JSON format.
gcloud dns dns-keys describe --zone [ZONE_NAME] [KEY_ID]
This command prints the specified DNSKEY in JSON format.
from apiclient import errors from apiclient.discovery import build PROJECT_NAME='
' ZONE_NAME=' ' try: service = build('dns', 'v1') response = service.dnskeys().list(project=PROJECT_NAME, managedZone=ZONE_NAME).execute() except errors.HttpError, error: print 'An error occurred: %s' % error try: response = service.dnskeys().list(project=PROJECT_NAME, managedZone=ZONE_NAME, keyId=KEY_ID).execute() except errors.HttpError, error: print 'An error occurred: %s' % error