Skip to content

googleDnsKeys

Get the DNSKEY and DS records of DNSSEC-signed managed zones. For more information see the official documentation and API.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleDnsManagedZoneFoo = new google.dnsManagedZone.DnsManagedZone(
  this,
  "foo",
  {
    dns_name: "foo.bar.",
    dnssec_config: [
      {
        non_existence: "nsec3",
        state: "on",
      },
    ],
    name: "foobar",
  }
);
const dataGoogleDnsKeysFooDnsKeys =
  new google.dataGoogleDnsKeys.DataGoogleDnsKeys(this, "foo_dns_keys", {
    managed_zone: googleDnsManagedZoneFoo.id,
  });
new cdktf.TerraformOutput(this, "foo_dns_ds_record", {
  value: `\${${dataGoogleDnsKeysFooDnsKeys.keySigningKeys.fqn}[0].ds_record}`,
  description: "DS record of the foo subdomain.",
});

Argument Reference

The following arguments are supported:

  • managedZone - (Required) The name or id of the Cloud DNS managed zone.

  • project - (Optional) The ID of the project in which the resource belongs. If project is not provided, the provider project is used.

Attributes Reference

The following attributes are exported:

  • keySigningKeys - A list of Key-signing key (KSK) records. Structure is documented below. Additionally, the DS record is provided:

    • dsRecord - The DS record based on the KSK record. This is used when delegating DNSSEC-signed subdomains.

  • zoneSigningKeys - A list of Zone-signing key (ZSK) records. Structure is documented below.

The keySigningKeys and zoneSigningKeys block supports:

  • algorithm - String mnemonic specifying the DNSSEC algorithm of this key. Immutable after creation time. Possible values are ecdsap256Sha256, ecdsap384Sha384, rsasha1, rsasha256, and rsasha512.

  • creationTime - The time that this resource was created in the control plane. This is in RFC3339 text format.

  • description - A mutable string of at most 1024 characters associated with this resource for the user's convenience.

  • digests - A list of cryptographic hashes of the DNSKEY resource record associated with this DnsKey. These digests are needed to construct a DS record that points at this DNS key. Each contains:

    • digest - The base-16 encoded bytes of this digest. Suitable for use in a DS resource record.
    • type - Specifies the algorithm used to calculate this digest. Possible values are sha1, sha256 and sha384

  • id - Unique identifier for the resource; defined by the server.

  • isActive - Active keys will be used to sign subsequent changes to the ManagedZone. Inactive keys will still be present as DNSKEY Resource Records for the use of resolvers validating existing signatures.

  • keyLength - Length of the key in bits. Specified at creation time then immutable.

  • keyTag - The key tag is a non-cryptographic hash of the a DNSKEY resource record associated with this DnsKey. The key tag can be used to identify a DNSKEY more quickly (but it is not a unique identifier). In particular, the key tag is used in a parent zone's DS record to point at the DNSKEY in this child ManagedZone. The key tag is a number in the range [0, 65535] and the algorithm to calculate it is specified in RFC4034 Appendix B.

  • publicKey - Base64 encoded public half of this key.