[SSL] Add subdomain delegation to DCV troubleshooting (#20871)

ngayerie · RebeccaTamachiro · RebeccaTamachiro · commit 9620ca98881d · 2025-04-21T11:06:53.000+01:00
* [SSL] Update troubleshooting.mdx

CUSTESC-46925

* Small text and Style Guide touch-ups

---------

Co-authored-by: Rebecca Tamachiro &lt;rtamachiro@cloudflare.com&gt;
diff --git a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx
@@ -37,7 +37,7 @@ For the purpose of this tutorial, you will update your registrar with the DS rec
 4. Also enable **Multi-signer DNSSEC** and **Multi-provider DNS**.
 5. Go to **DNS** > **Records** and create the following records at your zone apex (meaning you should use `@` in the record **Name** field):
     - A [DNSKEY record](/dns/manage-dns-records/reference/dns-record-types/#ds-and-dnskey) with the zone signing key(s) (ZSKs) of your external provider(s).
-    - A [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) with your external provider nameservers.
+    - An [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) with your external provider nameservers.
 
 </TabItem>
 <TabItem label="API">
diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx
@@ -52,7 +52,8 @@ Consider the following when troubleshooting:
 
 - [DNSSEC](https://www.cloudflare.com/learning/dns/dns-security/) must be configured correctly. You can use [DNSViz](https://dnsviz.net/) to understand and troubleshoot the deployment of DNSSEC.
 - Your [CAA records](/ssl/edge-certificates/caa-records/) should allow Cloudflare's partner [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) to issue certificates on your behalf.
-- The HTTP verification process is done preferably over **IPv6**, so if any `AAAA` record exists and does not point to the same dual-stack location as the `A` record, the validation will fail.
+- The HTTP verification process is done preferably over **IPv6**, so if any AAAA record exists and does not point to the same dual-stack location as the A record, the validation will fail.
+- If an [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) is present for the hostname or its parent, DNS resolution will be managed externally by the DNS provider defined in the NS target. In this case, you must either add the DCV TXT record at the external DNS provider, or remove the NS record at Cloudflare.
 
 ## CA errors
 
