Update dnssec-for-secondary to account for NSEC3 support

RebeccaTamachiro · RebeccaTamachiro · commit 2a8531c4c185 · 2025-05-27T10:27:07.000+01:00
diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx
@@ -14,7 +14,7 @@ import { Render, TabItem, Tabs, GlossaryTooltip, APIRequest } from "~/components
 
 - **[Multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/setup/)**: Both Cloudflare and your primary DNS provider know the signing keys of each other and perform their own live-signing of DNS records, in accordance with [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).
 - **[Live signing](#set-up-live-signing-dnssec)**: If your domain is not delegated to your primary provider's nameservers and Cloudflare secondary nameservers are the only nameservers authoritatively responding to DNS queries (hidden primary setup), you can choose this option to allow Cloudflare to perform live-signing of your DNS records.
-- **[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. Cloudflare only supports [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/)(and not NSEC3 records) and this setup does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/).
+- **[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. By default, Cloudflare uses [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/) and not NSEC3 - refer to [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed. Also, Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/).
 
 ---
 
@@ -62,15 +62,10 @@ In this setup, DNSSEC on your pirmary DNS provider does not need to be enabled.
 
 ## Set up pre-signed DNSSEC
 
-:::caution[Important: NSEC3 not supported]
-
-If your primary DNS provider uses NSEC3 instead of NSEC, Cloudflare will fail to serve the pre-signed zone. Authenticated denial of existence is an essential part of DNSSEC ([RFC 7129](https://www.rfc-editor.org/rfc/rfc7129.html)) and is only supported by Cloudflare through NSEC.
-:::
-
 ### Prerequisites
 
 - Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly.
-- Your primary DNS provider supports DNSSEC using NSEC records (and not NSEC3).
+- You have considered whether your primary DNS provider uses NSEC or NSEC3, and have enabled [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed.
 - Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC.
 
 ### Steps
@@ -84,9 +79,9 @@ Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zo
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-a. Select your zone and go to **DNS** > **Settings**.
+1. Select your zone and go to **DNS** > **Settings**.
 
-b. Under **DNSSEC with Secondary DNS** select **Pre-signed**.
+2. Under **DNSSEC with Secondary DNS** select **Pre-signed**.
 
 </TabItem> <TabItem label="API">
 
