Viewing DNSSEC keys

This page describes how to view Domain Name System Security Extensions (DNSSEC) keys.

For a conceptual overview of DNSSEC, see the DNSSEC overview.

A DNSKEY is a DNS record type that contains a public signing key. If you are migrating a DNSSEC signed zone to another DNS operator, you might need to see the DNSKEY records. The migration process in RFC 6781 requires importing the Zone Signing Key (ZSK) and Key Signing Key (KSK) DNSKEYs from the Cloud DNS zone into the other operator's zone.

If you have enabled DNSSEC for a zone, Cloud DNS automatically manages the creation and rotation of DNSSEC keys (DNSKEY records) and the signing of zone data with resource record digital signature (RRSIG) records. Cloud DNS does not support automatic rotation of KSKs because KSK rotations currently require manual interaction with the domain registrar. However, Cloud DNS does perform fully automatic ZSK rotations. You can view the automatically managed DNSKEYs with the gcloud command-line tool or REST API.

Before you begin

Before you can view DNSSEC keys, you need to have created a managed zone and enabled DNSSEC for the zone so that DNSKEY records are created.

Displaying current DNSKEYs

To display the current DNSKEY records for your zone, follow these steps.

gcloud

For the following gcloud command-line examples, you can specify the --project parameter to operate on a specific project.

To print all DNSKEYs in JSON format, use the gcloud dns dns-keys list command:

gcloud dns dns-keys list --zone ZONE_NAME

Replace ZONE_NAME with the name of the managed zone.

To display the details of a specified DNSKEY in JSON format, use the gcloud dns dns-keys describe command:

gcloud dns dns-keys describe DNSKEY_ID --zone ZONE_NAME

Replace the following:

  • DNSKEY_ID: the ID of the DNSKEY for which you want to view details
  • ZONE_NAME: the name of the managed zone

API

To print all DNSKEYs to a ResourceRecordSet collection, use the dnsKeys.get method with an empty request body:

GET https://dns.googleapis.com/dns/v1/projects/PROJECT/managedZones/ZONE_NAME/dnsKeys

Replace the following:

  • PROJECT: the name or ID of the DNS project
  • ZONE_NAME: the name of the managed zone

Your output is similar to the following:

{
  "kind": "dns#dnsKeysListResponse",
  "header": {
    "operationId": string
  },
  "dnsKeys": [
    dnsKeys Resource
  ],
  "nextPageToken": string
}

To display the details of a specified DNSKEY in JSON format, use the dnsKeys DNSKEY_ID.get method with an empty request body:

GET https://dns.googleapis.com/dns/v1/projects/PROJECT/managedZones/ZONE_NAME/dnsKeys/DNSKEY_ID

Replace the following:

  • PROJECT: the name or ID of the DNS project
  • ZONE_NAME: the name of the managed zone
  • DNSKEY_ID: the ID of the DNSKEY for which you want to view details

Python

  from apiclient import errors
  from apiclient.discovery import build

  PROJECT_NAME= 'PROJECT_NAME'
  ZONE_NAME= 'ZONE_NAME'

  try:
    service = build('dns', 'v1')
    response = service.dnskeys().list(project=PROJECT_NAME,
                                      managedZone=ZONE_NAME).execute()
  except errors.HttpError, error:
    print 'An error occurred: %s' % error

  try:
    response = service.dnskeys().list(project=PROJECT_NAME,
                                      managedZone=ZONE_NAME,
                                      keyId=KEY_ID).execute()
  except errors.HttpError, error:
    print 'An error occurred: %s' % error

Replace the following:

  • PROJECT_NAME: the name or ID of your DNS project
  • ZONE_NAME: the name of the managed zone

What's next