Docs Home
Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi
gcp.dns.getKeys
Explore with Pulumi AI
Get the DNSKEY and DS records of DNSSEC-signed managed zones.
For more information see the official documentation and API.
A gcp.dns.ManagedZone resource must have DNSSEC enabled in order to contain any DNSKEYs. Queries to managed zones without this setting enabled will result in a 404 error as the collection of DNSKEYs does not exist in the DNS API.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const foo = new gcp.dns.ManagedZone("foo", {
name: "foobar",
dnsName: "foo.bar.",
dnssecConfig: {
state: "on",
nonExistence: "nsec3",
},
});
const fooDnsKeys = gcp.dns.getKeysOutput({
managedZone: foo.id,
});
export const fooDnsDsRecord = fooDnsKeys.apply(fooDnsKeys => fooDnsKeys.keySigningKeys?.[0]?.dsRecord);
import pulumi
import pulumi_gcp as gcp
foo = gcp.dns.ManagedZone("foo",
name="foobar",
dns_name="foo.bar.",
dnssec_config={
"state": "on",
"non_existence": "nsec3",
})
foo_dns_keys = gcp.dns.get_keys_output(managed_zone=foo.id)
pulumi.export("fooDnsDsRecord", foo_dns_keys.key_signing_keys[0].ds_record)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/dns"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
foo, err := dns.NewManagedZone(ctx, "foo", &dns.ManagedZoneArgs{
Name: pulumi.String("foobar"),
DnsName: pulumi.String("foo.bar."),
DnssecConfig: &dns.ManagedZoneDnssecConfigArgs{
State: pulumi.String("on"),
NonExistence: pulumi.String("nsec3"),
},
})
if err != nil {
return err
}
fooDnsKeys := dns.GetKeysOutput(ctx, dns.GetKeysOutputArgs{
ManagedZone: foo.ID(),
}, nil)
ctx.Export("fooDnsDsRecord", fooDnsKeys.ApplyT(func(fooDnsKeys dns.GetKeysResult) (*string, error) {
return &fooDnsKeys.KeySigningKeys[0].DsRecord, nil
}).(pulumi.StringPtrOutput))
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var foo = new Gcp.Dns.ManagedZone("foo", new()
{
Name = "foobar",
DnsName = "foo.bar.",
DnssecConfig = new Gcp.Dns.Inputs.ManagedZoneDnssecConfigArgs
{
State = "on",
NonExistence = "nsec3",
},
});
var fooDnsKeys = Gcp.Dns.GetKeys.Invoke(new()
{
ManagedZone = foo.Id,
});
return new Dictionary<string, object?>
{
["fooDnsDsRecord"] = fooDnsKeys.Apply(getKeysResult => getKeysResult.KeySigningKeys[0]?.DsRecord),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dns.ManagedZone;
import com.pulumi.gcp.dns.ManagedZoneArgs;
import com.pulumi.gcp.dns.inputs.ManagedZoneDnssecConfigArgs;
import com.pulumi.gcp.dns.DnsFunctions;
import com.pulumi.gcp.dns.inputs.GetKeysArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var foo = new ManagedZone("foo", ManagedZoneArgs.builder()
.name("foobar")
.dnsName("foo.bar.")
.dnssecConfig(ManagedZoneDnssecConfigArgs.builder()
.state("on")
.nonExistence("nsec3")
.build())
.build());
final var fooDnsKeys = DnsFunctions.getKeys(GetKeysArgs.builder()
.managedZone(foo.id())
.build());
ctx.export("fooDnsDsRecord", fooDnsKeys.applyValue(getKeysResult -> getKeysResult).applyValue(fooDnsKeys -> fooDnsKeys.applyValue(getKeysResult -> getKeysResult.keySigningKeys()[0].dsRecord())));
}
}
resources:
foo:
type: gcp:dns:ManagedZone
properties:
name: foobar
dnsName: foo.bar.
dnssecConfig:
state: on
nonExistence: nsec3
variables:
fooDnsKeys:
fn::invoke:
function: gcp:dns:getKeys
arguments:
managedZone: ${foo.id}
outputs:
fooDnsDsRecord: ${fooDnsKeys.keySigningKeys[0].dsRecord}
Using getKeys
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getKeys(args: GetKeysArgs, opts?: InvokeOptions): Promise<GetKeysResult>
function getKeysOutput(args: GetKeysOutputArgs, opts?: InvokeOptions): Output<GetKeysResult>def get_keys(managed_zone: Optional[str] = None,
project: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetKeysResult
def get_keys_output(managed_zone: Optional[pulumi.Input[str]] = None,
project: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetKeysResult]func GetKeys(ctx *Context, args *GetKeysArgs, opts ...InvokeOption) (*GetKeysResult, error)
func GetKeysOutput(ctx *Context, args *GetKeysOutputArgs, opts ...InvokeOption) GetKeysResultOutput> Note: This function is named GetKeys in the Go SDK.
public static class GetKeys
{
public static Task<GetKeysResult> InvokeAsync(GetKeysArgs args, InvokeOptions? opts = null)
public static Output<GetKeysResult> Invoke(GetKeysInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetKeysResult> getKeys(GetKeysArgs args, InvokeOptions options)
public static Output<GetKeysResult> getKeys(GetKeysArgs args, InvokeOptions options)
fn::invoke:
function: gcp:dns/getKeys:getKeys
arguments:
# arguments dictionaryThe following arguments are supported:
- Managed
Zone string - The name or id of the Cloud DNS managed zone.
- Project string
- The ID of the project in which the resource belongs. If
projectis not provided, the provider project is used.
- Managed
Zone string - The name or id of the Cloud DNS managed zone.
- Project string
- The ID of the project in which the resource belongs. If
projectis not provided, the provider project is used.
- managed
Zone String - The name or id of the Cloud DNS managed zone.
- project String
- The ID of the project in which the resource belongs. If
projectis not provided, the provider project is used.
- managed
Zone string - The name or id of the Cloud DNS managed zone.
- project string
- The ID of the project in which the resource belongs. If
projectis not provided, the provider project is used.
- managed_
zone str - The name or id of the Cloud DNS managed zone.
- project str
- The ID of the project in which the resource belongs. If
projectis not provided, the provider project is used.
- managed
Zone String - The name or id of the Cloud DNS managed zone.
- project String
- The ID of the project in which the resource belongs. If
projectis not provided, the provider project is used.
getKeys Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Signing List<GetKeys Keys Key Signing Key> - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:
- Managed
Zone string - Project string
- Zone
Signing List<GetKeys Keys Zone Signing Key> - A list of Zone-signing key (ZSK) records. Structure is documented below.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Signing []GetKeys Keys Key Signing Key - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:
- Managed
Zone string - Project string
- Zone
Signing []GetKeys Keys Zone Signing Key - A list of Zone-signing key (ZSK) records. Structure is documented below.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Signing List<GetKeys Keys Key Signing Key> - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:
- managed
Zone String - project String
- zone
Signing List<GetKeys Keys Zone Signing Key> - A list of Zone-signing key (ZSK) records. Structure is documented below.
- id string
- The provider-assigned unique ID for this managed resource.
- key
Signing GetKeys Keys Key Signing Key[] - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:
- managed
Zone string - project string
- zone
Signing GetKeys Keys Zone Signing Key[] - A list of Zone-signing key (ZSK) records. Structure is documented below.
- id str
- The provider-assigned unique ID for this managed resource.
- key_
signing_ Sequence[Getkeys Keys Key Signing Key] - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:
- managed_
zone str - project str
- zone_
signing_ Sequence[Getkeys Keys Zone Signing Key] - A list of Zone-signing key (ZSK) records. Structure is documented below.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Signing List<Property Map>Keys - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:
- managed
Zone String - project String
- zone
Signing List<Property Map>Keys - A list of Zone-signing key (ZSK) records. Structure is documented below.
Supporting Types
GetKeysKeySigningKey
- Algorithm string
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - Creation
Time string - The time that this resource was created in the control plane. This is in RFC3339 text format.
- Description string
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- Digests
List<Get
Keys Key Signing Key Digest> - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- Ds
Record string - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.
- Id string
- Unique identifier for the resource; defined by the server.
- Is
Active bool - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- Key
Length int - Length of the key in bits. Specified at creation time then immutable.
- Key
Tag int - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- Public
Key string - Base64 encoded public half of this key.
- Algorithm string
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - Creation
Time string - The time that this resource was created in the control plane. This is in RFC3339 text format.
- Description string
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- Digests
[]Get
Keys Key Signing Key Digest - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- Ds
Record string - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.
- Id string
- Unique identifier for the resource; defined by the server.
- Is
Active bool - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- Key
Length int - Length of the key in bits. Specified at creation time then immutable.
- Key
Tag int - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- Public
Key string - Base64 encoded public half of this key.
- algorithm String
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation
Time String - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description String
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests
List<Get
Keys Key Signing Key Digest> - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- ds
Record String - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.
- id String
- Unique identifier for the resource; defined by the server.
- is
Active Boolean - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key
Length Integer - Length of the key in bits. Specified at creation time then immutable.
- key
Tag Integer - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public
Key String - Base64 encoded public half of this key.
- algorithm string
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation
Time string - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description string
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests
Get
Keys Key Signing Key Digest[] - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- ds
Record string - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.
- id string
- Unique identifier for the resource; defined by the server.
- is
Active boolean - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key
Length number - Length of the key in bits. Specified at creation time then immutable.
- key
Tag number - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public
Key string - Base64 encoded public half of this key.
- algorithm str
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation_
time str - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description str
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests
Sequence[Get
Keys Key Signing Key Digest] - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- ds_
record str - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.
- id str
- Unique identifier for the resource; defined by the server.
- is_
active bool - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key_
length int - Length of the key in bits. Specified at creation time then immutable.
- key_
tag int - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public_
key str - Base64 encoded public half of this key.
- algorithm String
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation
Time String - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description String
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests List<Property Map>
- A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- ds
Record String - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.
- id String
- Unique identifier for the resource; defined by the server.
- is
Active Boolean - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key
Length Number - Length of the key in bits. Specified at creation time then immutable.
- key
Tag Number - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public
Key String - Base64 encoded public half of this key.
GetKeysKeySigningKeyDigest
GetKeysZoneSigningKey
- Algorithm string
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - Creation
Time string - The time that this resource was created in the control plane. This is in RFC3339 text format.
- Description string
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- Digests
List<Get
Keys Zone Signing Key Digest> - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- Id string
- Unique identifier for the resource; defined by the server.
- Is
Active bool - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- Key
Length int - Length of the key in bits. Specified at creation time then immutable.
- Key
Tag int - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- Public
Key string - Base64 encoded public half of this key.
- Algorithm string
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - Creation
Time string - The time that this resource was created in the control plane. This is in RFC3339 text format.
- Description string
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- Digests
[]Get
Keys Zone Signing Key Digest - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- Id string
- Unique identifier for the resource; defined by the server.
- Is
Active bool - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- Key
Length int - Length of the key in bits. Specified at creation time then immutable.
- Key
Tag int - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- Public
Key string - Base64 encoded public half of this key.
- algorithm String
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation
Time String - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description String
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests
List<Get
Keys Zone Signing Key Digest> - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- id String
- Unique identifier for the resource; defined by the server.
- is
Active Boolean - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key
Length Integer - Length of the key in bits. Specified at creation time then immutable.
- key
Tag Integer - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public
Key String - Base64 encoded public half of this key.
- algorithm string
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation
Time string - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description string
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests
Get
Keys Zone Signing Key Digest[] - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- id string
- Unique identifier for the resource; defined by the server.
- is
Active boolean - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key
Length number - Length of the key in bits. Specified at creation time then immutable.
- key
Tag number - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public
Key string - Base64 encoded public half of this key.
- algorithm str
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation_
time str - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description str
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests
Sequence[Get
Keys Zone Signing Key Digest] - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- id str
- Unique identifier for the resource; defined by the server.
- is_
active bool - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key_
length int - Length of the key in bits. Specified at creation time then immutable.
- key_
tag int - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public_
key str - Base64 encoded public half of this key.
- algorithm String
- String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are
ecdsap256sha256,ecdsap384sha384,rsasha1,rsasha256, andrsasha512. - creation
Time String - The time that this resource was created in the control plane. This is in RFC3339 text format.
- description String
- A mutable string of at most 1024 characters associated with this resource for the user's convenience.
- digests List<Property Map>
- A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:
- id String
- Unique identifier for the resource; defined by the server.
- is
Active Boolean - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.
- key
Length Number - Length of the key in bits. Specified at creation time then immutable.
- key
Tag Number - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.
- public
Key String - Base64 encoded public half of this key.
GetKeysZoneSigningKeyDigest
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.