[DNS] Call out differences between standard vs advanced NS (#23504)

* Introduce new limitations section for advanced NS

* Expand to more general considerations and move to setup.mdx

* Text review and add example DNS table for delegation

* Re-add note on Advanced NS vs Custom NS to concept page

* Use specific header for more emphasis and better linking

* Nest DNSSEC keys under Advanced NS in Foundation DNS features

* Add note on advanced ns vs custom in account-custom-nameservers

* Further clarify advanced-vs-custom NS and align with UI messaging

* Revert "Nest DNSSEC keys under Advanced NS in Foundation DNS features"

This reverts commit 459ff3b.

* Replace 'zone' by 'account' in features list

* Create dedicated page explaining Foundation DNSSEC keys

* Add clarification on how to get unique DNSSEC keys

* Apply suggestions from code review

Co-authored-by: Max Phillips <[email protected]>

---------

Co-authored-by: Max Phillips <[email protected]>

Author: 2 people

src/content/docs/dns/foundation-dns/advanced-nameservers.mdx

@@ -12,8 +12,9 @@ Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) offer
 
 Consider the sections below for details about advanced nameservers, and refer to [Set up advanced nameservers](/dns/foundation-dns/setup/) to learn how to enable this feature.
 
-:::caution
- <Render file="ns-advanced-vs-custom" /> 
+:::note
+<Render file="ns-advanced-vs-custom" />
+Also, [some behaviors are different](/dns/foundation-dns/setup/#differences-from-standard-nameservers) when compared to standard nameservers.
 :::
 
 ## Anycast network groups

src/content/docs/dns/foundation-dns/dnssec-keys.mdx

@@ -0,0 +1,17 @@
+---
+pcx_content_type: reference
+title: DNSSEC keys
+sidebar:
+  order: 5
+
+---
+
+With [Foundation DNS](/dns/foundation-dns/), you can request that the ZSK/KSK pair that is used for [DNSSEC](/dns/dnssec/) is unique to your Cloudflare account. To opt in to this feature, contact your account team.
+
+All zones within your Cloudflare account - regardless of using [standard](/dns/nameservers/#standard-nameservers) or [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) - will use the dedicated Zone Signing Key (ZSK) and Key Signing Key (KSK) for DNSSEC. These keys are set at the account level.
+
+## Further reading
+
+For more background information, refer to [How DNSSEC works](https://www.cloudflare.com/learning/dns/dnssec/how-dnssec-works/).
+
+For details about DNSSEC settings at Cloudflare, refer to the [DNSSEC documentation](/dns/dnssec/).

src/content/docs/dns/foundation-dns/index.mdx

@@ -14,7 +14,7 @@ With Foundation DNS, you get access to increased reliability, security, and insi
   * Strategically distributed IPs to enhance resiliency
   * Reduced exposure to incidents or software regression
   * More consistent nameserver assignment
-* DNSSEC keys unique to your zone
+* [DNSSEC keys](/dns/foundation-dns/dnssec-keys/) unique to your account
 * Additional DNS settings, including:
   * [Zone defaults](/dns/additional-options/dns-zone-defaults/)
   * [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/)
@@ -24,7 +24,9 @@ With Foundation DNS, you get access to increased reliability, security, and insi
 
 Foundation DNS is only available to Enterprise customers.
 
-Advanced nameservers are an opt-in configuration. Refer to [set up advanced nameservers](/dns/foundation-dns/setup/).
+:::note
+Both advanced nameservers and unique ZSK/KSK are opt-in configurations. Refer to [set up advanced nameservers](/dns/foundation-dns/setup/) and [DNSSEC keys](/dns/foundation-dns/dnssec-keys/) for details.
+:::
 
 ## Related resources
 

src/content/docs/dns/foundation-dns/setup.mdx

@@ -6,10 +6,38 @@ sidebar:
   label: Setup
 ---
 
-import { TabItem, Tabs, APIRequest } from "~/components";
+import { TabItem, Tabs, APIRequest, Render, Details, Example } from "~/components";
 
 Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration.
 
+
+## Before you begin
+
+Before opting in for advanced nameservers, consider the following:
+
+- <Render file="ns-advanced-vs-custom" />
+
+### Differences from standard nameservers
+
+Some behaviors are different from standard Cloudflare nameservers:
+- Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`).
+- Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on that subdomain from the parent zone, even if those records exist.
+
+<Details header="Example">
+
+<Example>
+DNS management for **example.com**
+| **Type** | **Name** | **Content**               |
+| -------- | -------- | ------------------------- |
+| NS     | www      | ns1.externalhost.com     |
+| NS     | www      | ns2.externalhost.com  |
+| TXT    | www      | "5bb16e6b5a444eedb48ace40c471bcc9" |
+| A     | www      | `192.0.2.1` |
+</Example>
+
+In this example, the TXT record and the A record for `www.example.com` will not be served.
+</Details>
+
 ## Enable on a zone
 
 To enable advanced nameservers on an existing zone:

src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx

@@ -20,6 +20,10 @@ import { Example, Render, Tabs, TabItem } from "~/components"
 
 Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API or on the dashboard.
 
+:::note
+<Render file="ns-advanced-vs-custom" />
+:::
+
 ## Configuration conditions
 
 For this configuration to be possible, a few conditions apply:

src/content/partials/dns/ns-advanced-vs-custom.mdx

@@ -3,4 +3,4 @@
 
 ---
 
-The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/).
+The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/). Make sure you only use one at a time.