[DNS] Various callouts and tips (#26050)

RebeccaTamachiro · web-flow · commit 8ebc305b5c2d · 2025-10-30T14:49:02.000Z
* Link to dnssec-for-secondary from the setup page

* Replace recommendation wait time for DNSSEC with child zone

* Create new TS page for debug endpoints and adjust order

* Call out nameserver TTL available with Foundation DNS
diff --git a/src/content/docs/dns/nameservers/nameserver-options.mdx b/src/content/docs/dns/nameservers/nameserver-options.mdx
@@ -56,6 +56,10 @@ If you choose this option and you also want to use DNSSEC on your zone, make sur
 
 For both Cloudflare nameservers (standard or advanced) and custom nameservers, the `NS` record time-to-live (TTL) is controlled by the specific setting on the **DNS Records** page, under **DNS record options**.
 
+:::note[Foundation DNS]
+**DNS record options** are part of [Foundation DNS](/dns/foundation-dns/). If you are an Enterprise customer and **Nameserver TTL** is not displayed on your Cloudflare dashboard, reach out to your account team.
+:::
+
 The default TTL is 24 hours (or 86,400 seconds), but you have the option to lower this value depending on your needs. For example, shorter TTLs can be useful when you are changing nameservers or migrating a zone. Accepted values range from 30 to 86,400 seconds.
 
 This setting can also be configured as a [DNS zone default](/dns/additional-options/dns-zone-defaults/), meaning new zones created in your account will automatically start with the value you define.
diff --git a/src/content/docs/dns/troubleshooting/dns-debug-endpoints.mdx b/src/content/docs/dns/troubleshooting/dns-debug-endpoints.mdx
@@ -0,0 +1,25 @@
+---
+pcx_content_type: troubleshooting
+title: Available debug endpoints
+sidebar:
+  order: 10
+  label: Debug endpoints
+---
+
+The following debug endpoints are available via `dig` or other DNS query tools.
+
+```sh
+$ dig @<YOUR_DOMAIN> chaos txt myip.cloudflare +short
+```
+
+```sh
+$ dig @<YOUR_DOMAIN> chaos txt id.server +short
+```
+
+```sh
+$ dig @<YOUR_DOMAIN> chaos txt version.bind +short
+```
+
+```sh
+$ dig @<YOUR_DOMAIN> txt whoami.cloudflare.net +short
+```
diff --git a/src/content/docs/dns/troubleshooting/dns-issues.mdx b/src/content/docs/dns/troubleshooting/dns-issues.mdx
@@ -2,6 +2,8 @@
 pcx_content_type: troubleshooting
 source: https://support.cloudflare.com/hc/en-us/articles/217912538-My-DNS-doesn-t-work
 title: General DNS issues
+sidebar:
+  order: 2
 
 ---
 
diff --git a/src/content/docs/dns/troubleshooting/dns-probe-finished-nxdomain.mdx b/src/content/docs/dns/troubleshooting/dns-probe-finished-nxdomain.mdx
@@ -2,7 +2,7 @@
 title: DNS_PROBE_FINISHED_NXDOMAIN
 pcx_content_type: troubleshooting
 sidebar:
-  order: 2
+  order: 4
 head:
   - tag: title
     content: Fix DNS_PROBE_FINISHED_NXDOMAIN
diff --git a/src/content/docs/dns/troubleshooting/dns-probe-possible.mdx b/src/content/docs/dns/troubleshooting/dns-probe-possible.mdx
@@ -2,7 +2,7 @@
 title: DNS_PROBE_POSSIBLE
 pcx_content_type: troubleshooting
 sidebar:
-  order: 2
+  order: 5
 head:
   - tag: title
     content: Fix DNS_PROBE_POSSIBLE error
diff --git a/src/content/docs/dns/troubleshooting/email-issues.mdx b/src/content/docs/dns/troubleshooting/email-issues.mdx
@@ -5,7 +5,8 @@ title: Email issues
 head:
   - tag: title
     content: Troubleshooting email issues
-
+sidebar:
+  order: 6
 ---
 
 import { Render } from "~/components"
diff --git a/src/content/docs/dns/zone-setups/subdomain-setup/dnssec.mdx b/src/content/docs/dns/zone-setups/subdomain-setup/dnssec.mdx
@@ -8,13 +8,13 @@ head:
     content: Enable DNSSEC - subdomain setup
 ---
 
+import { GlossaryTooltip } from "~/components";
+
 As opposed to the [normal process](/dns/dnssec/) for enabling DNSSEC, DNSSEC with a subdomain setup requires a few additional steps.
 
 ## Requirements
 
-To use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone.
-
-Ideally, you should also wait 12 to 24 hours after enabling DNSSEC on the parent zone to ensure DNS resolvers provide the same DNS query responses.
+To use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone. After enabling DNSSEC on the parent zone, you should wait the minimum <GlossaryTooltip term="time-to-live (TTL)">TTL</GlossaryTooltip> value (specified in the [SOA record](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) of the parent zone) to ensure DNS resolvers provide the same DNS query responses.
 
 ## Setup
 
diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup.mdx
@@ -19,6 +19,7 @@ With [incoming zone transfers](/dns/zone-setups/zone-transfers/cloudflare-as-sec
 ## Before you begin
 
 - You should already have a registered domain, set up with your primary DNS provider.
+- Review the available options and plan for how you will use [DNSSEC with Cloudflare as secondary](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/).
 - Make sure you have completed the following tasks at your primary DNS provider and at Cloudflare.
 
 ### At your primary DNS provider
