Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to view Domain Name System Security Extensions
(DNSSEC) keys.
For a conceptual overview of DNSSEC, see the DNSSEC overview.
A DNSKEY is a DNS record type that contains a public signing key. If you are
migrating a DNSSEC signed zone to another DNS operator, you might need to see
the DNSKEY records. The migration process in
RFC 6781
requires importing the Zone Signing Key (ZSK) and Key Signing Key (KSK)
DNSKEYs from the Cloud DNS zone into the other operator's zone.
If you have enabled DNSSEC for a zone, Cloud DNS automatically manages
the creation and rotation of DNSSEC keys (DNSKEY records) and the signing of
zone data with resource record digital signature (RRSIG) records.
Cloud DNS does not support automatic rotation of KSKs because KSK
rotations currently require manual interaction with the domain registrar.
However, Cloud DNS does perform fully automatic ZSK rotations.
You can view the automatically managed DNSKEYs with the Google Cloud CLI or
REST API.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page outlines how to view Domain Name System Security Extensions (DNSSEC) keys, which are stored as DNSKEY records.\u003c/p\u003e\n"],["\u003cp\u003eCloud DNS automatically manages the creation and rotation of Zone Signing Keys (ZSKs) but requires manual interaction for Key Signing Key (KSK) rotations.\u003c/p\u003e\n"],["\u003cp\u003eYou can view DNSKEYs using the Google Cloud CLI with the \u003ccode\u003egcloud dns dns-keys list\u003c/code\u003e and \u003ccode\u003egcloud dns dns-keys describe\u003c/code\u003e commands.\u003c/p\u003e\n"],["\u003cp\u003eAlternatively, you can use the REST API with the \u003ccode\u003ednsKeys.get\u003c/code\u003e method to view DNSKEYs, or utilize a Python script that leverages the \u003ccode\u003eapiclient\u003c/code\u003e library.\u003c/p\u003e\n"],["\u003cp\u003eBefore viewing DNSSEC keys, you must have a managed zone created and DNSSEC enabled for that zone.\u003c/p\u003e\n"]]],[],null,["# View DNSSEC keys\n\nThis page describes how to view Domain Name System Security Extensions\n(DNSSEC) keys.\n\nFor a conceptual overview of DNSSEC, see the [DNSSEC overview](/dns/docs/dnssec).\n\nA DNSKEY is a DNS record type that contains a public signing key. If you are\nmigrating a DNSSEC signed zone to another DNS operator, you might need to see\nthe DNSKEY records. The migration process in\n[RFC 6781](https://tools.ietf.org/html/rfc6781#section-4.3.5)\nrequires importing the Zone Signing Key (ZSK) and Key Signing Key (KSK)\nDNSKEYs from the Cloud DNS zone into the other operator's zone.\n\nIf you have enabled DNSSEC for a zone, Cloud DNS automatically manages\nthe creation and rotation of DNSSEC keys (DNSKEY records) and the signing of\nzone data with resource record digital signature (RRSIG) records.\nCloud DNS does not support automatic rotation of KSKs because KSK\nrotations currently require manual interaction with the domain registrar.\nHowever, Cloud DNS does perform fully automatic ZSK rotations.\nYou can view the automatically managed DNSKEYs with the Google Cloud CLI or\nREST API.\n\nBefore you begin\n----------------\n\nBefore you can view DNSSEC keys, you need to have\n[created a managed zone](/dns/docs/zones#creating_managed_zones) and\n[enabled DNSSEC for the zone](/dns/docs/dnssec-config#enabling)\nso that DNSKEY records are created.\n| **Note:** A DNSKEY collection is empty when `ManagedZones` are unsigned.\n\nDisplay current DNSKEYs\n-----------------------\n\nTo display the current DNSKEY records for your zone, follow these steps. \n\n### gcloud\n\nFor the following `gcloud` command-line examples, you can specify the\n`--project` parameter to operate on a specific project.\n\nTo print all DNSKEYs in JSON format, use the\n[`gcloud dns dns-keys list`](/sdk/gcloud/reference/dns/dns-keys/list)\ncommand: \n\n```\ngcloud dns dns-keys list --zone ZONE_NAME\n```\n\nReplace \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e with the name of the managed zone.\n\nTo display the details of a specified DNSKEY in JSON format, use the\n[`gcloud dns dns-keys describe`](/sdk/gcloud/reference/dns/dns-keys/describe)\ncommand: \n\n```\ngcloud dns dns-keys describe DNSKEY_ID --zone ZONE_NAME\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eDNSKEY_ID\u003c/var\u003e: the ID of the DNSKEY for which you want to view details\n- \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e: the name of the managed zone\n\n### API\n\nTo print all DNSKEYs to a `ResourceRecordSet` collection, use the\n[`dnsKeys.get`](/dns/docs/reference/v1/dnsKeys/get) method with an empty\nrequest body: \n\n```\nGET https://dns.googleapis.com/dns/v1/projects/PROJECT/managedZones/ZONE_NAME/dnsKeys\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name or ID of the DNS project\n- \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e: the name of the managed zone\n\nYour output is similar to the following: \n\n```\n{\n \"kind\": \"dns#dnsKeysListResponse\",\n \"header\": {\n \"operationId\": string\n },\n \"dnsKeys\": [\n dnsKeys Resource\n ],\n \"nextPageToken\": string\n}\n```\n\nTo display the details of a specified DNSKEY in JSON format, use the\n[`dnsKeys `\u003cvar translate=\"no\"\u003eDNSKEY_ID\u003c/var\u003e`.get`](/dns/docs/reference/v1/dnsKeys/get)\nmethod with an empty request body: \n\n```\nGET https://dns.googleapis.com/dns/v1/projects/PROJECT/managedZones/ZONE_NAME/dnsKeys/DNSKEY_ID\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name or ID of the DNS project\n- \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e: the name of the managed zone\n- \u003cvar translate=\"no\"\u003eDNSKEY_ID\u003c/var\u003e: the ID of the DNSKEY for which you want to view details\n\n### Python\n\n```\n from apiclient import errors\n from apiclient.discovery import build\n\n PROJECT_NAME= 'PROJECT_NAME'\n ZONE_NAME= 'ZONE_NAME'\n\n try:\n service = build('dns', 'v1')\n response = service.dnskeys().list(project=PROJECT_NAME,\n managedZone=ZONE_NAME).execute()\n except errors.HttpError, error:\n print 'An error occurred: %s' % error\n\n try:\n response = service.dnskeys().list(project=PROJECT_NAME,\n managedZone=ZONE_NAME,\n keyId=KEY_ID).execute()\n except errors.HttpError, error:\n print 'An error occurred: %s' % error\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e: the name or ID of your DNS project\n- \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e: the name of the managed zone\n\nWhat's next\n-----------\n\n- To get information about specific DNSSEC configurations, see [Use advanced DNSSEC](/dns/docs/dnssec-advanced).\n- To monitor changes, see [Monitor DNS propagation](/dns/docs/monitoring#dns-propagation).\n- To find solutions for common issues that you might encounter when using Cloud DNS, see [Troubleshooting](/dns/docs/troubleshooting).\n- To get an overview of Cloud DNS, see [Cloud DNS overview](/dns/docs/overview)."]]
