This page describes how to view Domain Name System Security Extensions (DNSSEC) keys.
For a conceptual overview of DNSSEC, see the DNSSEC overview.
A DNSKEY is a DNS record type that contains a public signing key. If you are migrating a DNSSEC signed zone to another DNS operator, you might need to see the DNSKEY records. The migration process in RFC 6781 requires importing the Zone Signing Key (ZSK) and Key Signing Key (KSK) DNSKEYs from the Cloud DNS zone into the other operator's zone.
If you have enabled DNSSEC for a zone, Cloud DNS automatically manages the creation and rotation of DNSSEC keys (DNSKEY records) and the signing of zone data with resource record digital signature (RRSIG) records. Cloud DNS does not support automatic rotation of KSKs because KSK rotations currently require manual interaction with the domain registrar. However, Cloud DNS does perform fully automatic ZSK rotations. You can view the automatically managed DNSKEYs with the Google Cloud CLI or REST API.
Before you begin
Before you can view DNSSEC keys, you need to have created a managed zone and enabled DNSSEC for the zone so that DNSKEY records are created.
Display current DNSKEYs
To display the current DNSKEY records for your zone, follow these steps.
gcloud
For the following gcloud command-line examples, you can specify the
--project parameter to operate on a specific project.
To print all DNSKEYs in JSON format, use the
gcloud dns dns-keys list
command:
gcloud dns dns-keys list --zone ZONE_NAME
Replace ZONE_NAME with the name of the managed zone.
To display the details of a specified DNSKEY in JSON format, use the
gcloud dns dns-keys describe
command:
gcloud dns dns-keys describe DNSKEY_ID --zone ZONE_NAME
Replace the following:
- DNSKEY_ID: the ID of the DNSKEY for which you want to view details
- ZONE_NAME: the name of the managed zone
API
To print all DNSKEYs to a ResourceRecordSet collection, use the
dnsKeys.get method with an empty
request body:
GET https://dns.googleapis.com/dns/v1/projects/PROJECT/managedZones/ZONE_NAME/dnsKeys
Replace the following:
- PROJECT: the name or ID of the DNS project
- ZONE_NAME: the name of the managed zone
Your output is similar to the following:
{
  "kind": "dns#dnsKeysListResponse",
  "header": {
    "operationId": string
  },
  "dnsKeys": [
    dnsKeys Resource
  ],
  "nextPageToken": string
}
To display the details of a specified DNSKEY in JSON format, use the
dnsKeys DNSKEY_ID.get
method with an empty request body:
GET https://dns.googleapis.com/dns/v1/projects/PROJECT/managedZones/ZONE_NAME/dnsKeys/DNSKEY_ID
Replace the following:
- PROJECT: the name or ID of the DNS project
- ZONE_NAME: the name of the managed zone
- DNSKEY_ID: the ID of the DNSKEY for which you want to view details
Python
  from apiclient import errors
  from apiclient.discovery import build
  PROJECT_NAME= 'PROJECT_NAME'
  ZONE_NAME= 'ZONE_NAME'
  try:
    service = build('dns', 'v1')
    response = service.dnskeys().list(project=PROJECT_NAME,
                                      managedZone=ZONE_NAME).execute()
  except errors.HttpError, error:
    print 'An error occurred: %s' % error
  try:
    response = service.dnskeys().list(project=PROJECT_NAME,
                                      managedZone=ZONE_NAME,
                                      keyId=KEY_ID).execute()
  except errors.HttpError, error:
    print 'An error occurred: %s' % error
Replace the following:
- PROJECT_NAME: the name or ID of your DNS project
- ZONE_NAME: the name of the managed zone
What's next
- To get information about specific DNSSEC configurations, see Use advanced DNSSEC.
- To monitor changes, see Monitor DNS propagation.
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
- To get an overview of Cloud DNS, see Cloud DNS overview.