For a list of methods for this resource, see the end of this page.

Resource representations

A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service.

  "kind": "dns#managedZone",
  "name": string,
  "dnsName": string,
  "description": string,
  "id": unsigned long,
  "nameServers": [
  "creationTime": string,
  "dnssecConfig": {
    "kind": "dns#managedZoneDnsSecConfig",
    "state": string,
    "defaultKeySpecs": [
        "kind": "dns#dnsKeySpec",
        "keyType": string,
        "algorithm": string,
        "keyLength": unsigned integer
    "nonExistence": string
  "nameServerSet": string,
  "visibility": string,
  "privateVisibilityConfig": {
    "kind": "dns#managedZonePrivateVisibilityConfig",
    "networks": [
        "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
        "networkUrl": string
  "labels": {
    (key): string
Property name Value Description Notes
creationTime string The time that this resource was created on the server. This is in RFC3339 text format. Output only.
description string A mutable string of at most 1024 characters associated with this resource for the user's convenience. Has no effect on the managed zone's function.
dnsName string The DNS name of this managed zone, for instance "".
dnssecConfig nested object DNSSEC configuration.
dnssecConfig.defaultKeySpecs[] list Specifies parameters that will be used for generating initial DnsKeys for this ManagedZone. Output only while state is not OFF.
dnssecConfig.defaultKeySpecs[].algorithm string String mnemonic specifying the DNSSEC algorithm of this key.

Acceptable values are:
  • "ecdsap256sha256"
  • "ecdsap384sha384"
  • "rsasha1"
  • "rsasha256"
  • "rsasha512"
dnssecConfig.defaultKeySpecs[].keyLength unsigned integer Length of the keys in bits.
dnssecConfig.defaultKeySpecs[].keyType string Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets.

Acceptable values are:
  • "keySigning"
  • "zoneSigning"
dnssecConfig.defaultKeySpecs[].kind string Identifies what kind of resource this is. Value: the fixed string "dns#dnsKeySpec".
dnssecConfig.kind string Identifies what kind of resource this is. Value: the fixed string "dns#managedZoneDnsSecConfig".
dnssecConfig.nonExistence string Specifies the mechanism used to provide authenticated denial-of-existence responses. Output only while state is not OFF.

Acceptable values are:
  • "nsec"
  • "nsec3"
dnssecConfig.state string Specifies whether DNSSEC is enabled, and what mode it is in.

Acceptable values are:
  • "off"
  • "on"
  • "transfer"
id unsigned long Unique identifier for the resource; defined by the server (output only)
kind string Identifies what kind of resource this is. Value: the fixed string "dns#managedZone".
labels object User labels.
labels.(key) string
name string User assigned name for this resource. Must be unique within the project. The name must be 1-63 characters long, must begin with a letter, end with a letter or digit, and only contain lowercase letters, digits or dashes.
nameServerSet string Optionally specifies the NameServerSet for this ManagedZone. A NameServerSet is a set of DNS name servers that all host the same ManagedZones. Most users will leave this field unset.
nameServers[] list Delegate your managed_zone to these virtual name servers; defined by the server (output only)
privateVisibilityConfig nested object For privately visible zones, the set of Virtual Private Cloud resources that the zone is visible from.
privateVisibilityConfig.kind string Identifies what kind of resource this is. Value: the fixed string "dns#managedZonePrivateVisibilityConfig".
privateVisibilityConfig.networks[] list The list of VPC networks that can see this zone.
privateVisibilityConfig.networks[].kind string Identifies what kind of resource this is. Value: the fixed string "dns#managedZonePrivateVisibilityConfigNetwork".
privateVisibilityConfig.networks[].networkUrl string The fully qualified URL of the VPC network to bind to. This should be formatted like{project}/global/networks/{network}
visibility string The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources.

Acceptable values are:
  • "private"
  • "public"


Create a new ManagedZone.
Delete a previously created ManagedZone.
Fetch the representation of an existing ManagedZone.
Enumerate ManagedZones that have been created but not yet deleted.
Apply a partial update to an existing ManagedZone.
Update an existing ManagedZone.
Was this page helpful? Let us know how we did:

Send feedback about...