From 1ce679f2d90567a523820ef0a6731e20243befa1 Mon Sep 17 00:00:00 2001 From: Kian Newman-Hazel Date: Fri, 23 Aug 2024 18:26:40 +0100 Subject: [PATCH 01/12] [DNS] Exposed DNS settings in dash --- .../additional-options/dns-zone-defaults.mdx | 38 +++++++ .../dns/additional-options/reverse-zones.mdx | 4 +- .../dns/dnssec/multi-signer-dnssec/setup.mdx | 84 ++++++++++++-- .../reference/dns-record-types.mdx | 54 ++++++++- .../account-custom-nameservers.mdx | 103 +++++++++++++++--- .../tenant-custom-nameservers.mdx | 2 +- .../zone-custom-nameservers.mdx | 8 +- src/content/docs/dns/nameservers/index.mdx | 2 +- .../dns/nameservers/nameserver-options.mdx | 30 ++++- .../reference/nameserver-assignment.mdx | 4 +- .../cloudflare-as-primary/setup.mdx | 8 +- src/content/partials/dns/acns-tcns-intro.mdx | 2 +- 12 files changed, 296 insertions(+), 43 deletions(-) create mode 100644 src/content/docs/dns/additional-options/dns-zone-defaults.mdx diff --git a/src/content/docs/dns/additional-options/dns-zone-defaults.mdx b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx new file mode 100644 index 000000000000000..337ca42466908cd --- /dev/null +++ b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx @@ -0,0 +1,38 @@ +--- +pcx_content_type: how-to +title: Zone defaults +sidebar: + order: 3 +--- + +# Configure DNS zone defaults + +While there are default values for DNS settings that Cloudflare applies to all new zones, Enterprise accounts have the option to configure their own DNS zone defaults according to their preference. + +:::caution +DNS zone defaults are only applied at the moment a new zone is created and will not impact already existing zones. Any of the values specified as default can later be adjusted within each zone, on the respective [**DNS** > **Settings**](https://dash.cloudflare.com/?to=/:account/:zone/dns/settings) or [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) page. +::: + +## Steps + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. +2. Go to **Manage Account** > **Configurations** > **DNS Settings**. +3. For **DNS zone defaults**, select **Configure defaults**. + +The values you select for the listed settings will be automatically applied to new zones as you add them to your Cloudflare account. + +## Available settings + +- [Nameserver assignment](/dns/nameservers/nameserver-options/#assignment-method): Select your preferred nameserver type or assignment method that you want Cloudflare to use for your new zones. This setting applies both to primary zones ([full setup](/dns/zone-setups/full-setup/)) and [secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/). + +For primary zones: + +- [Multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): Control whether or not Cloudflare will consider `NS` records you add on the zone apex and if zones that contain external nameservers listed in the registrar will be activated. +- [NS record TTL](/dns/nameservers/nameserver-options/#ns-record-ttl): Control how long, in minutes, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/). +- [SOA record](/dns/manage-dns-records/reference/dns-record-types/#soa): Adjust values for the start of authority (SOA) record that Cloudflare creates for your zone. + +For secondary zones: + +- [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/): Enable the options to use Cloudflare [proxy](/dns/manage-dns-records/reference/proxied-dns-records/) and add `CNAME` records at your zone apex. + + Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare. \ No newline at end of file diff --git a/src/content/docs/dns/additional-options/reverse-zones.mdx b/src/content/docs/dns/additional-options/reverse-zones.mdx index 89d220f1f8aaa7b..f0c184a9edd5952 100644 --- a/src/content/docs/dns/additional-options/reverse-zones.mdx +++ b/src/content/docs/dns/additional-options/reverse-zones.mdx @@ -1,8 +1,8 @@ --- pcx_content_type: how-to title: Reverse zones and PTR records -weight: 0 - +sidebar: + order: 5 --- import { Details, Example } from "~/components" diff --git a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx index 5992a27ef72a30d..98818c6ceaac8d0 100644 --- a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx +++ b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx @@ -8,6 +8,10 @@ head: content: Set up multi-signer DNSSEC --- +import { Tabs, TabItem } from "~/components" + +# Set up multi-signer DNSSEC + This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html). ## Before you begin @@ -20,12 +24,29 @@ Note that: ## 1. Set up Cloudflare zone -:::note +### Cloudflare as Primary (full setup) + +If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following: + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone. +2. Go to **DNS** > **Settings**. +3. Select **Enable DNSSEC** and **Confirm**. -The following steps also apply if you use [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), with the difference that, in such case, the records in steps 2 and 3 should be transferred from the primary, and step 4 is not necessary. +:::note +For the purpose of this tutorial, you will update your registrar with the DS record later, in [Step 3](/dns/dnssec/multi-signer-dnssec/setup/#3-set-up-registrar). ::: -1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. This is done by setting `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example. +4. Also enable **Multi-signer DNSSEC** and **Multi-provider DNS**. +5. Go to **DNS** > **Records** and create the following records at your zone apex (meaning you should use `@` in the record **Name** field): + - A [DNSKEY record](/dns/manage-dns-records/reference/dns-record-types/#ds-and-dnskey) with the zone signing key(s) (ZSKs) of your external provider(s). + - A [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) with your external provider nameservers. + + + + +1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example. ```bash curl --request PATCH \ @@ -74,27 +95,68 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \ }' ``` -4. Enable the usage of the nameservers you added in the previous step by using the API request below. Alternatively, go to [**DNS** > **Settings**](https://dash.cloudflare.com/?to=/:account/:zone/dns/settings) and enable **Multi-provider DNS**. +4. Enable the usage of the nameservers you added in the previous step by using the API request below. :::caution +This step is required. Without turning on this setting, Cloudflare will ignore any `NS` records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting `NS` records will only contain Cloudflare nameservers. +::: -This step is required if you are using Cloudflare as a primary DNS provider - without enabling this setting, Cloudflare will ignore any `NS` records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting `NS` records will only contain Cloudflare nameservers. +```bash +curl --request PATCH \ +"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "multi_provider": true +}' +``` + + + + +### Cloudflare as Secondary + +If you use Cloudflare as a secondary DNS provider, do the following: -If you are using [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), this step is not necessary. + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone. +2. Go to **DNS** > **Settings**. +3. For **DNSSEC with Secondary DNS** select **Live signing**. + +:::note +For the purpose of this tutorial, you will update your registrar with the DS record later, in [Step 3](/dns/dnssec/multi-signer-dnssec/setup/#3-set-up-registrar). ::: +4. Also enable **Multi-signer DNSSEC**. +5. Add the zone signing key(s) (ZSKs) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare. +6. Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare. + + + + +1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example. + ```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \ +$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ - "multi_provider": true + "status": "active", + "dnssec_multi_signer": true }' ``` +2. Add the ZSK(s) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare. + +3. Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare. + + + + ## 2. Set up external provider 1. Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers. @@ -110,7 +172,7 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk" \ Command line query example: ```sh -dig dnskey @ +noall +answer | grep 256 +$ dig dnskey @ +noall +answer | grep 256 ``` 2. Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s). @@ -120,4 +182,4 @@ dig dnskey @ +noall +answer | grep 256 1. Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/dns) by going to **DNS** > **Settings** > **DS Record**. -2. Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup. +2. Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup. \ No newline at end of file diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx index 769ba6e0552c787..cc9b1b851a51afc 100644 --- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx @@ -6,7 +6,7 @@ sidebar: --- -import { Render } from "~/components" +import { Details, Render } from "~/components" This page provides information about some of the different types of DNS records that you can manage on Cloudflare. For guidance on how to add, edit, or delete DNS records, refer to [Manage DNS records](/dns/manage-dns-records/how-to/create-dns-records/). @@ -316,11 +316,59 @@ Within Cloudflare, PTR records are used for reverse DNS lookups and should prefe ### SOA -A [start of authority (SOA)](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) record stores information about your domain such as admin email address, when the domain was last updated, and more. +A start of authority (SOA) record stores information about your domain such as admin email address, when the domain was last updated, and more. Refer to [What is a DNS SOA record](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) for an example. If you are using Cloudflare for your [authoritative DNS](/dns/zone-setups/full-setup/), you do not need to create an SOA record. Cloudflare creates this record automatically when you start using Cloudflare's authoritative nameservers. - +If you have an Enterprise account, you also have the option to configure your own [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and change the SOA record values that Cloudflare will use for all new zones added to your account. + +Refer to the following list for information about each SOA record field: + +
+ +* **`MNAME`**: The primary nameserver for the zone. Secondary nameservers receive zone updates from the nameserver specified in this field. +* **`RNAME`**: The email address of the administrator responsible for the zone. + + The `@` symbol is replaced by the first dot. If an email address contains a dot before `@`, this should be represented as `\.`. + + | Email | `RNAME` | + |---------------------------|-------------------------| + |`john@example.com` | `john.example.com` | + |`john.doe@example.com` | `john\.doe.example.com` | + +* **`Serial`**: The serial number for the zone. Secondary nameservers initiate zone transfers if this number increases. +* **`Refresh`**: Time (in seconds) after which a secondary nameserver should query the primary for the `SOA` record, to detect zone changes. Only relevant if DNS NOTIFY ([RFC 1996](https://www.rfc-editor.org/rfc/rfc1996.html)) is not configured. + + | Default | Minimum | Maximum | + |--------------|------------|----------| + |`10000` | `600` | `86400` | + +* **`Retry`**: Time (in seconds) after which a secondary nameserver should retry getting the serial number from the primary nameserver after a failed attempt. Any specified values must not be greater than `Refresh`. + + | Default | Minimum | Maximum | + |--------------|------------|----------| + |`2400` | `600` | `3600` | + +* **`Expire`**: Time (in seconds) after which a secondary nameserver should stop answering queries for a zone if the primary does not respond. Any specified values must not be smaller than `Refresh`. + + | Default | Minimum | Maximum | + |--------------|------------|-----------| + |`604800` | `86400` | `2419200` | + +* **`Record TTL`**: The [time to live](/dns/manage-dns-records/reference/ttl/) of the SOA record. + + | Default | Minimum | Maximum | + |--------------|------------|----------| + |`3600` | `1800` | `3600` | + +* **`Minimum TTL`**: The TTL for caching negative responses. Refer to [RFC 2308](https://www.rfc-editor.org/rfc/rfc2308.html#section-4) for details. + + | Default | Minimum | Maximum | + |--------------|------------|----------| + |`1800` | `60` | `86400` | + + +
### NS diff --git a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx index ef3822ed877613a..a3486560c1837a4 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx @@ -9,10 +9,9 @@ head: description: With account-level custom nameservers, you can use the same custom nameservers for different zones in the account. The domain or domains that provide the nameservers names do not have to exist as zones in Cloudflare. - --- -import { Example, Render } from "~/components" +import { Example, Render, Tabs, TabItem } from "~/components" @@ -24,16 +23,38 @@ For this configuration to be possible, a few conditions apply: +* Choosing a set from `ns_set 1` through `ns_set 5` will influence how Cloudflare assigns nameservers to your new zones if you configure [DNS zone defaults](/dns/nameservers/nameserver-options/#dns-zone-defaults). + ## Enable account custom nameservers ### 1. Set up ACNS names and sets -1. Use the [Add account custom nameserver endpoint](/api/operations/account-level-custom-nameservers-add-account-custom-nameserver) to create account custom nameservers. Follow the [conditions](#configuration-conditions) for `ns_name` and `ns_set`. +1. Create ACNS names and sets: + + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. Go to **Manage Account** > **Configurations**. +3. For **Account custom nameservers**, select **Configure custom nameservers**. +4. Insert a fully qualified domain name for **Nameserver name** and choose a **Nameserver set**. Follow the [configuration conditions](#configuration-conditions). + +Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name, and these nameservers will be listed as options that you can [enable on existing zones](#2-enable-acns-on-existing-zones) or [set up as default for new zones in the account](#3-optional-make-acns-default-for-new-zones). + + + + +Use the [Add account custom nameserver endpoint](/api/operations/account-level-custom-nameservers-add-account-custom-nameserver) to create account custom nameservers. Follow the [conditions](#configuration-conditions) for `ns_name` and `ns_set`. Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name. +Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name and these nameservers will be listed as options that you can [enable on existing zones](#2-enable-acns-on-existing-zones) or [set up as default for new zones in the account](#3-optional-make-acns-default-for-new-zones). + + + + 2. Make sure `A/AAAA` records with the assigned IPv4 and IPv6 exist at the authoritative DNS of the domain that provides the ACNS names. * If the domain uses Cloudflare DNS, the respective `A` and `AAAA` records are automatically created. @@ -52,20 +73,55 @@ Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name. * If you are using Cloudflare Registrar for the domain that provides the ACNS names, [contact Cloudflare Support](/support/contacting-cloudflare-support/) to add the account custom nameservers and IP addresses as glue records to the domain. - * If you are not using Cloudflare Registrar for the domain that provides the ACNS names, add the account custom nameservers and IP addresses to your domain's registrar as [glue records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3). If you do not add these records, DNS lookups for your domain will fail. + * If you are not using Cloudflare Registrar for the domain that provides the ACNS names, add the account custom nameservers and IP addresses to your domain's registrar as glue records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)). If you do not add these records, DNS lookups for your domain will fail. ### 2. Use ACNS on existing zones -1. Choose an ACNS set as custom nameservers for a zone. Use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) for each zone. +1. Choose an ACNS set as custom nameservers for a zone: + + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone. +2. Go to **DNS** > **Records**. +3. For **Custom nameservers**, select **Configure**. +4. Select **Use the custom nameservers created for all DNS zones under your account** and choose a nameserver set from the list. + + + + +Use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) for each zone. + + + 2. Make sure the nameservers are updated: - * If your domain uses [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to update your nameservers. - * If your domain uses a different registrar or if it has been delegated to a parent domain, manually update your nameservers. Refer to [Update nameservers](/dns/nameservers/update-nameservers/) for detailed guidance. + * If your domain uses [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to update your nameservers. + * If your domain uses a different registrar, update the nameservers at your registrar to use the account custom nameservers. + * If your zone is delegated to a parent zone, update the corresponding `NS` record at the parent zone. ### 3. (Optional) Make ACNS default for new zones -To make these ACNS the default nameservers for all new zones added to your account from now on, use the [Update Account endpoint](/api/operations/accounts-update-account) and set the value of `default_nameservers` to `custom.account`. +To make ACNS the default option for all new zones added to your account from now on: + + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. Go to **Manage Account** > **Configurations**. +3. For **DNS zone defaults**, select **Configure defaults**. +4. Change the **Nameserver assignment method** to **Account custom nameservers**. + +Refer to [DNS zone defaults](/dns/nameservers/nameserver-options/#dns-zone-defaults) for details. + + + + +Use the [Update Account endpoint](/api/operations/accounts-update-account) and set the value of `default_nameservers` to `custom.account`. + + + ## Disable account custom nameservers @@ -73,15 +129,36 @@ To make these ACNS the default nameservers for all new zones added to your accou To remove ACNS from a zone, first update your nameservers to stop using ACNS: -* If you are using [Cloudflare Registrar](/registrar/), use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to change the `enabled` parameter to `false`, and then [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare-branded nameservers. -* If you are not using [Cloudflare Registrar](/registrar/), modify the domain's registrar to use your regular Cloudflare-branded nameservers and then use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to set the `enabled` parameter to `false`. + + -### 2. Delete ACNS names or sets +* If you are using [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare branded nameservers. +* If you are not using [Cloudflare Registrar](/registrar/), modify the domain's registrar to use your regular Cloudflare branded nameservers. -:::caution + + + +* If you are using [Cloudflare Registrar](/registrar/), use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to change the `enabled` parameter to `false`, and then [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare branded nameservers. +* If you are not using [Cloudflare Registrar](/registrar/), modify the domain's registrar to use your regular Cloudflare branded nameservers and then use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to set the `enabled` parameter to `false`. + + + + +### 2. Delete ACNS names or sets Following the [configuration conditions](#configuration-conditions), each set must have between two and five different nameserver names. When you delete all names or leave a set with only one nameserver name, the set will no longer be listed as an option for the zones in your account. -::: + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. Go to **Manage Account** > **Configurations**. +3. For **Account custom nameservers**, select **Delete** next to the ACNS name. + + + Use the [Delete account custom nameserver endpoint](/api/operations/account-level-custom-nameservers-delete-account-custom-nameserver) to delete a specific ACNS. + + + \ No newline at end of file diff --git a/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx index cad6f1b3bf3592c..e6d43bd2adc9b3f 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx @@ -82,7 +82,7 @@ curl https://api.cloudflare.com/client/v4/tenants/{tenant_id}/custom_ns \ -2. Add the account custom nameservers and IP addresses to your domain's registrar as [glue (A and AAAA) records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3) +2. Add the account custom nameservers and IP addresses to your domain's registrar as glue (A and AAAA) records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)). 3. If the domain or domains that are used for the tenant custom nameservers do not exist within the same account, you must create the `A/AAAA` records on the configured nameserver names (for example, `ns1.example.com`) at the authoritative DNS provider. diff --git a/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx index 559bf1bfe59689a..8f66cebd87f67ee 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx @@ -27,7 +27,8 @@ To create zone custom nameservers: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone. 2. Go to **DNS** > **Records**. -3. On **Custom Nameservers**, click **Add Custom Nameservers** and enter the subdomains used for the ZCNS names (for example, `ns1`, `ns2`, `ns3`). +3. On **Custom nameservers**, select **Configure**. +4. Select **Create custom nameservers just for `your-domain.com`** and enter the subdomains used for the ZCNS names (for example, `ns1`, `ns2`, `ns3`). @@ -44,15 +45,14 @@ Cloudflare will assign an IPv4 and an IPv6 address to each ZCNS name and automat The next step depends on whether you are using [Cloudflare Registrar](/registrar/) for your domain: - If you are using Cloudflare Registrar for your domain, [contact Cloudflare Support](/support/contacting-cloudflare-support/) to add the custom nameservers and IP addresses as glue records to the domain. -- If you are not using Cloudflare Registrar for your domain, add the zone custom nameservers at your registrar as your authoritative nameservers and as [glue (A and AAAA) records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3). If you do not add these records, DNS lookups for your domain will fail. - +- If you are not using Cloudflare Registrar for your domain, add the zone custom nameservers at your registrar as your authoritative nameservers and as glue (A and AAAA) records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)). If you do not add these records, DNS lookups for your domain will fail. ### Secondary zones If you are using [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), you can still set up zone custom nameservers. After following the [steps above](/dns/nameservers/custom-nameservers/zone-custom-nameservers/#primary-full-setup-zones) to create zone custom nameservers, do the following: 1. Get the ZCNS IPs. You can see them on the dashboard (**DNS** > **Records**) or you can use the [Zone details endpoint](/api/operations/zones-0-get) to get the `vanity_name_servers_ips`. 2. At your primary DNS provider, add [`NS` records](/dns/manage-dns-records/reference/dns-record-types/#ns) and, on the subdomains that you used as ZCNS names, add `A/AAAA` records. -3. At your registrar, add the zone custom nameservers as your authoritative nameservers and as [glue (A and AAAA) records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3). +3. At your registrar, add the zone custom nameservers as your authoritative nameservers and as glue (A and AAAA) records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)). ## Remove zone custom nameservers diff --git a/src/content/docs/dns/nameservers/index.mdx b/src/content/docs/dns/nameservers/index.mdx index 547a0c7f025bf60..11de82d506c1bee 100644 --- a/src/content/docs/dns/nameservers/index.mdx +++ b/src/content/docs/dns/nameservers/index.mdx @@ -20,7 +20,7 @@ Regardless of the type you choose, for these nameservers to be authoritative for ### Standard nameservers -When you add a domain on a [primary (full)](/dns/zone-setups/full-setup/) DNS setup, Cloudflare automatically assigns two standard nameservers for your zone. +Unless your account has a specific [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) configuration, when you add a domain on a [primary (full)](/dns/zone-setups/full-setup/) or [secondary](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/) DNS setup, Cloudflare automatically assigns two standard nameservers for your zone. Standard nameservers are hosted on `ns.cloudflare.com` and follow the pattern `.ns.cloudflare.com`. diff --git a/src/content/docs/dns/nameservers/nameserver-options.mdx b/src/content/docs/dns/nameservers/nameserver-options.mdx index 303810d45d36b27..6d93800f61590b9 100644 --- a/src/content/docs/dns/nameservers/nameserver-options.mdx +++ b/src/content/docs/dns/nameservers/nameserver-options.mdx @@ -10,9 +10,25 @@ import { Example } from "~/components" Refer to the sections below to learn about different nameserver options. +## Assignment method + +When you add a domain on a full or secondary setup, Cloudflare automatically assigns your nameservers. + +The [default assignment method](/dns/zone-setups/reference/nameserver-assignment/) is to use standard nameservers and favor consistent nameserver names across all zones within an account. Nonetheless, in case there are conflicts - for example, if someone else has already added the same zone to a different account - you may get different nameserver names. + +To have control over what nameservers are assigned for different zones within an account, you can use [account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/). + +### DNS zone defaults + +If you have an Enterprise account, you also have the option to [configure your own DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and change how Cloudflare handles nameserver assignment when you add a new zone to your account: + +- **Standard nameservers randomized**: instead of attempting consistency, Cloudflare assigns random pairs of nameserver names every time you add a new domain to your account. +- **Advanced nameservers**: Cloudflare uses the same method as the default - trying to keep nameserver names consistent for different zones within an account - but uses the specific [Foundation DNS nameservers](/dns/foundation-dns/advanced-nameservers/). +- **Account custom nameservers**: Cloudflare automatically assigns a set of [account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/) that you have previously configured for your account. In this method, **Set 1** will be attempted first and, in case of any conflicts, Cloudflare will cycle through the other nameserver sets, in ascending order. + ## Multi-provider DNS -Multi-provider DNS is an optional setting for zones using [full setup](/dns/zone-setups/full-setup/) and is an enforced default behaviour for zones using [secondary setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/). +Multi-provider DNS is an optional setting for zones using [full setup](/dns/zone-setups/full-setup/) and is an enforced default behavior for zones using [secondary setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/). When you enable multi-provider DNS on a primary (full setup) zone: @@ -32,6 +48,14 @@ This means that responses to DNS queries made to the zone apex and requesting `N :::caution -If you choose this option, you should also make sure to set up [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/). +If you choose this option and you also want to use DNSSEC on your zone, make sure to set up [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/). + +::: + +## NS record TTL + +For both Cloudflare nameservers (standard or advanced) and custom nameservers, the `NS` record time-to-live (TTL) is controlled by the specific setting in **DNS** > **Records**. + +The default TTL is 24 hours (or 86,400 seconds), but you have the option to lower this value depending on your needs. For example, shorter TTLs can be useful when you are changing nameservers or migrating a zone. Accepted values range from 30 to 86,400 seconds. -::: \ No newline at end of file +This setting can also be configured as a [DNS zone default](/dns/additional-options/dns-zone-defaults/), meaning new zones created in your account will automatically start with the value you define. \ No newline at end of file diff --git a/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx b/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx index ffd70aca7be9514..f0cb516ee5fd759 100644 --- a/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx +++ b/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx @@ -8,16 +8,14 @@ When you add a domain on a [primary (full)](/dns/zone-setups/full-setup/) or [se Each domain's assigned nameservers may be different than other domains, even if those domains are within the same account. -These nameserver assignments cannot be changed unless you set up [custom or vanity nameservers](/dns/nameservers/custom-nameservers/). +These nameserver assignments cannot be changed. However, depending on your subscription, you may have different options to [control the nameservers assignment method](/dns/nameservers/nameserver-options/#assignment-method) or to use your own [custom nameservers](/dns/nameservers/custom-nameservers/). :::caution - To prevent domain hijacking, you can no longer preset Cloudflare nameservers at your registrar before creating the respective zone in Cloudflare. If you preset your nameservers and then add the domain, your domain will be assigned a new pair of nameservers. To keep the same nameservers across your domains, use [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/). - ::: For more background on nameserver assignments, refer to [our blog](https://blog.cloudflare.com/whats-the-story-behind-the-names-of-cloudflares-name-servers/). diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx index a4aacb9a96d4806..556fca03822164c 100644 --- a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx +++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx @@ -118,7 +118,11 @@ It should also have updated [Access Control Lists (ACLs)](/dns/zone-setups/zone- Using the information from your secondary DNS provider, [create `NS` records](/dns/manage-dns-records/how-to/create-dns-records/#create-dns-records) on your zone apex listing your secondary nameservers. -By default, Cloudflare ignores `NS` records that are added to the zone apex. To modify this behaviour, enable [multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): +By default, Cloudflare ignores `NS` records added to the zone apex. To modify this behavior, enable [multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): + +:::note +If your account [zone defaults](/dns/additional-options/dns-zone-defaults/) are already defined to have **Multi-provider DNS** enabled, this step may not be necessary. +::: @@ -129,6 +133,8 @@ By default, Cloudflare ignores `NS` records that are added to the zone apex. To +Send the following `PATCH` request replacing the placeholders with your zone ID and authentication information: + ```bash curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \ diff --git a/src/content/partials/dns/acns-tcns-intro.mdx b/src/content/partials/dns/acns-tcns-intro.mdx index 53d0b616fc2937f..d75bd29c06d9035 100644 --- a/src/content/partials/dns/acns-tcns-intro.mdx +++ b/src/content/partials/dns/acns-tcns-intro.mdx @@ -9,4 +9,4 @@ import { Markdown } from "~/components" {props.two}CNS are organized in different sets (`ns_set`) and {props.two}CNS names can be provided by any domain, even if the domain does not exist as a zone in Cloudflare. -For instance, if the {props.two}CNS are `ns1.example.com` and `ns2.vanity.org`, the domains `example.com` and `vanity.org` are not required to be zones in Cloudflare. +For instance, if the {props.two}CNS are `ns1.example.com` and `ns2.vanity.test`, the domains `example.com` and `vanity.test` are not required to be zones in Cloudflare. From 78f997d0d4ff88e1932f8aac4689cea1a2ae3dc4 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 10 Oct 2024 11:15:11 +0100 Subject: [PATCH 02/12] Adjust titles and label for multi-signer-dnssec setup page --- .../docs/dns/dnssec/multi-signer-dnssec/setup.mdx | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx index 98818c6ceaac8d0..90c0aab17668a60 100644 --- a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx +++ b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx @@ -1,16 +1,12 @@ --- pcx_content_type: how-to -title: Setup +title: Set up multi-signer DNSSEC sidebar: order: 5 -head: - - tag: title - content: Set up multi-signer DNSSEC + label: Setup --- -import { Tabs, TabItem } from "~/components" - -# Set up multi-signer DNSSEC +import { Tabs, TabItem } from "~/components"; This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html). @@ -28,7 +24,7 @@ Note that: If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following: - + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone. 2. Go to **DNS** > **Settings**. @@ -119,7 +115,7 @@ curl --request PATCH \ If you use Cloudflare as a secondary DNS provider, do the following: - + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone. From 9a83fe4a2713db69fd46854ef67ac6bd5b050157 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 10 Oct 2024 11:49:27 +0100 Subject: [PATCH 03/12] Remove repeated sentence and add Tabs syncKey --- .../account-custom-nameservers.mdx | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx index bb84610a36f25ee..c55927bf2e2fb35 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx @@ -32,7 +32,7 @@ For this configuration to be possible, a few conditions apply: 1. Create ACNS names and sets: - + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. @@ -40,8 +40,6 @@ For this configuration to be possible, a few conditions apply: 3. For **Account custom nameservers**, select **Configure custom nameservers**. 4. Insert a fully qualified domain name for **Nameserver name** and choose a **Nameserver set**. Follow the [configuration conditions](#configuration-conditions). -Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name, and these nameservers will be listed as options that you can [enable on existing zones](#2-enable-acns-on-existing-zones) or [set up as default for new zones in the account](#3-optional-make-acns-default-for-new-zones). - @@ -49,13 +47,11 @@ Use the [Add account custom nameserver endpoint](/api/operations/account-level-c -Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name. - -Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name and these nameservers will be listed as options that you can [enable on existing zones](#2-enable-acns-on-existing-zones) or [set up as default for new zones in the account](#3-optional-make-acns-default-for-new-zones). - +Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name, and these nameservers will be listed as options that you can [use on existing zones](#2-use-acns-on-existing-zones) or [set up as default for new zones in the account](#3-optional-make-acns-default-for-new-zones). + 2. Make sure `A/AAAA` records with the assigned IPv4 and IPv6 exist at the authoritative DNS of the domain that provides the ACNS names. * If the domain uses Cloudflare DNS, the respective `A` and `AAAA` records are automatically created. @@ -80,7 +76,7 @@ Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name and these n 1. Choose an ACNS set as custom nameservers for a zone: - + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone. @@ -106,7 +102,7 @@ Use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level- To make ACNS the default option for all new zones added to your account from now on: - + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. @@ -130,7 +126,7 @@ Use the [Update Account endpoint](/api/operations/accounts-update-account) and s To remove ACNS from a zone, first update your nameservers to stop using ACNS: - + * If you are using [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare branded nameservers. @@ -149,7 +145,7 @@ To remove ACNS from a zone, first update your nameservers to stop using ACNS: Following the [configuration conditions](#configuration-conditions), each set must have between two and five different nameserver names. When you delete all names or leave a set with only one nameserver name, the set will no longer be listed as an option for the zones in your account. - + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. From e87b7ae7fa970b8f1d1f41556f2360c879a76663 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 16 Oct 2024 15:21:37 +0100 Subject: [PATCH 04/12] Add information about ability to change SOA for existing zone --- .../docs/dns/manage-dns-records/reference/dns-record-types.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx index 6b31f5cdcb29126..bed56cec46cd7a7 100644 --- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx @@ -320,7 +320,8 @@ A start of authority (SOA) record stores information about your domain such as a If you are using Cloudflare for your [authoritative DNS](/dns/zone-setups/full-setup/), you do not need to create an SOA record. Cloudflare creates this record automatically when you start using Cloudflare's authoritative nameservers. -If you have an Enterprise account, you also have the option to configure your own [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and change the SOA record values that Cloudflare will use for all new zones added to your account. +If you have an Enterprise account, you also have the option to change the SOA record values that Cloudflare will use. +You can do that for existing zones by going to **DNS** > **Records** > **DNS record options**, or you can configure your own [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and define the SOA record values that Cloudflare will use for all new zones added to your account. Refer to the following list for information about each SOA record field: From 09985b5de93c395e464593659fafdd791b9fc5cd Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 16 Oct 2024 17:46:55 +0100 Subject: [PATCH 05/12] Align feature name with dash and refer existing zone process --- src/content/docs/dns/additional-options/dns-zone-defaults.mdx | 2 +- src/content/docs/dns/manage-dns-records/reference/ttl.mdx | 4 ++++ src/content/docs/dns/nameservers/nameserver-options.mdx | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/content/docs/dns/additional-options/dns-zone-defaults.mdx b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx index 337ca42466908cd..2e9626b762baad6 100644 --- a/src/content/docs/dns/additional-options/dns-zone-defaults.mdx +++ b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx @@ -28,7 +28,7 @@ The values you select for the listed settings will be automatically applied to n For primary zones: - [Multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): Control whether or not Cloudflare will consider `NS` records you add on the zone apex and if zones that contain external nameservers listed in the registrar will be activated. -- [NS record TTL](/dns/nameservers/nameserver-options/#ns-record-ttl): Control how long, in minutes, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/). +- [NS record TTL](/dns/nameservers/nameserver-options/#nameserver-ttl): Control how long, in minutes, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/). - [SOA record](/dns/manage-dns-records/reference/dns-record-types/#soa): Adjust values for the start of authority (SOA) record that Cloudflare creates for your zone. For secondary zones: diff --git a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx index 9f2336e380d6bfd..d49c52259853b78 100644 --- a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx @@ -27,3 +27,7 @@ It may take longer than 5 minutes for you to actually experience record changes, ## Unproxied records For **DNS only** records, you can choose a TTL between **30 seconds** (Enterprise) or **60 seconds** (non-Enterprise) and **1 day**. + +:::note +[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers (standard or advanced) and custom nameservers. For other NS records on your DNS records table, TTL is controlled by their respective TTL fields. +::: \ No newline at end of file diff --git a/src/content/docs/dns/nameservers/nameserver-options.mdx b/src/content/docs/dns/nameservers/nameserver-options.mdx index 6d93800f61590b9..327d70e20e8ae65 100644 --- a/src/content/docs/dns/nameservers/nameserver-options.mdx +++ b/src/content/docs/dns/nameservers/nameserver-options.mdx @@ -52,9 +52,9 @@ If you choose this option and you also want to use DNSSEC on your zone, make sur ::: -## NS record TTL +## Nameserver TTL -For both Cloudflare nameservers (standard or advanced) and custom nameservers, the `NS` record time-to-live (TTL) is controlled by the specific setting in **DNS** > **Records**. +For both Cloudflare nameservers (standard or advanced) and custom nameservers, the `NS` record time-to-live (TTL) is controlled by the specific setting in **DNS** > **Records** > **DNS record options**. The default TTL is 24 hours (or 86,400 seconds), but you have the option to lower this value depending on your needs. For example, shorter TTLs can be useful when you are changing nameservers or migrating a zone. Accepted values range from 30 to 86,400 seconds. From 7b8f41e14e500082199b7e0dd4004e6e31148bbb Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 18 Oct 2024 14:53:33 +0100 Subject: [PATCH 06/12] Update from 'NS record TTL' to 'Nameserver TTL' --- .../docs/dns/additional-options/dns-zone-defaults.mdx | 2 +- src/content/docs/dns/manage-dns-records/reference/ttl.mdx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/dns/additional-options/dns-zone-defaults.mdx b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx index 2e9626b762baad6..ab41eb6128202a7 100644 --- a/src/content/docs/dns/additional-options/dns-zone-defaults.mdx +++ b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx @@ -28,7 +28,7 @@ The values you select for the listed settings will be automatically applied to n For primary zones: - [Multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): Control whether or not Cloudflare will consider `NS` records you add on the zone apex and if zones that contain external nameservers listed in the registrar will be activated. -- [NS record TTL](/dns/nameservers/nameserver-options/#nameserver-ttl): Control how long, in minutes, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/). +- [Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl): Control how long, in seconds, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/). - [SOA record](/dns/manage-dns-records/reference/dns-record-types/#soa): Adjust values for the start of authority (SOA) record that Cloudflare creates for your zone. For secondary zones: diff --git a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx index d49c52259853b78..4c7dc0780ee02da 100644 --- a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx @@ -28,6 +28,6 @@ It may take longer than 5 minutes for you to actually experience record changes, For **DNS only** records, you can choose a TTL between **30 seconds** (Enterprise) or **60 seconds** (non-Enterprise) and **1 day**. -:::note -[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers (standard or advanced) and custom nameservers. For other NS records on your DNS records table, TTL is controlled by their respective TTL fields. -::: \ No newline at end of file +## Nameserver TTL + +[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers and custom nameservers. For other [NS records](/reference/dns-record-types/#ns) on your DNS records table, TTL is controlled by their respective TTL fields. \ No newline at end of file From 085410b5f9bb7f0f0d2bbce0943eaccba030743a Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 18 Oct 2024 14:58:21 +0100 Subject: [PATCH 07/12] Review dns-record-types/#ns and fix ACNS mention to API-only --- .../docs/dns/manage-dns-records/reference/dns-record-types.mdx | 2 +- src/content/docs/dns/nameservers/custom-nameservers/index.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx index 6a7880fdae83ecd..02e5f3f0cae3c8d 100644 --- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx @@ -377,7 +377,7 @@ Refer to the following list for information about each SOA record field: A [nameserver (NS) record](https://www.cloudflare.com/learning/dns/dns-records/dns-ns-record/) indicates which server should be used for authoritative DNS. -You only need to add NS records when you are [creating custom or vanity nameservers](/dns/nameservers/custom-nameservers/), using [subdomain setup](/dns/zone-setups/subdomain-setup/), or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/). +You only need to add NS records when you are using [subdomain setup](/dns/zone-setups/subdomain-setup/) or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/). diff --git a/src/content/docs/dns/nameservers/custom-nameservers/index.mdx b/src/content/docs/dns/nameservers/custom-nameservers/index.mdx index b8e133ea7b43433..87f0369a1406954 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/index.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/index.mdx @@ -19,7 +19,7 @@ To use custom nameservers, a zone must be using Cloudflare as [Primary (Full set ## Availability * Zone custom nameservers are available for zones on Business or Enterprise plans. Via API or on the dashboard. -* Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API only. +* Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API or on the dashboard. * Tenant custom nameservers, if created by the tenant owner, will be available to all zones belonging to any account that is part of the tenant. Via API only. ## Restrictions From 1d6ddeff28f0f3cfc08783a6733ca181b61fb26e Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 18 Oct 2024 15:15:22 +0100 Subject: [PATCH 08/12] Fix broken link --- src/content/docs/dns/manage-dns-records/reference/ttl.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx index 4c7dc0780ee02da..c964f025023f0c3 100644 --- a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx @@ -30,4 +30,4 @@ For **DNS only** records, you can choose a TTL between **30 seconds** (Enterpris ## Nameserver TTL -[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers and custom nameservers. For other [NS records](/reference/dns-record-types/#ns) on your DNS records table, TTL is controlled by their respective TTL fields. \ No newline at end of file +[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers and custom nameservers. For other [NS records](/dns/manage-dns-records/reference/dns-record-types/#ns) on your DNS records table, TTL is controlled by their respective TTL fields. \ No newline at end of file From fec9bc473b406a6cdcd86214254861fc1540b90d Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 22 Oct 2024 11:56:37 +0100 Subject: [PATCH 09/12] Clarify added NS vs Cloudflare/custom NS and link out for more --- .../dns/manage-dns-records/reference/dns-record-types.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx index 02e5f3f0cae3c8d..18d9dca401a360d 100644 --- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx @@ -377,10 +377,14 @@ Refer to the following list for information about each SOA record field: A [nameserver (NS) record](https://www.cloudflare.com/learning/dns/dns-records/dns-ns-record/) indicates which server should be used for authoritative DNS. -You only need to add NS records when you are using [subdomain setup](/dns/zone-setups/subdomain-setup/) or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/). +You only need to add NS records to your DNS records table in Cloudflare when you are using [subdomain setup](/dns/zone-setups/subdomain-setup/) or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/). +:::note +Your assigned Cloudflare nameservers, custom nameservers, and their corresponding [nameserver TTLs](/dns/nameservers/nameserver-options/#nameserver-ttl) are controlled via dedicated sections in [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records). For details, refer to [Nameservers](/dns/nameservers/). +::: + ### DS and DNSKEY [DS and DNSKEY](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) records help implement DNSSEC, which cryptographically signs DNS records to prevent domain spoofing. From 8f492643d28ece9d852fc2fd07e412b4ebb4f1b1 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 13 Dec 2024 15:14:54 +0000 Subject: [PATCH 10/12] Review steps and refs to UI text in ZCNS and ACNS guides --- .../custom-nameservers/account-custom-nameservers.mdx | 5 +++-- .../custom-nameservers/zone-custom-nameservers.mdx | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx index d6527b55b7d5c81..e006795fdfc0cfd 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx @@ -36,7 +36,7 @@ For this configuration to be possible, a few conditions apply: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Go to **Manage Account** > **Configurations**. +2. Go to **Manage Account** > **Configurations** > **DNS Settings**. 3. For **Account custom nameservers**, select **Configure custom nameservers**. 4. Insert a fully qualified domain name for **Nameserver name** and choose a **Nameserver set**. Follow the [configuration conditions](#configuration-conditions). @@ -82,7 +82,8 @@ Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name, and these 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone. 2. Go to **DNS** > **Records**. 3. For **Custom nameservers**, select **Configure**. -4. Select **Use the custom nameservers created for all DNS zones under your account** and choose a nameserver set from the list. +4. Select **Use your account custom nameservers** and choose a nameserver set from the list. +5. Select **Save** to confirm. diff --git a/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx index dfc0757e2890c1b..107479c00573638 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx @@ -30,6 +30,7 @@ To create zone custom nameservers: 2. Go to **DNS** > **Records**. 3. On **Custom nameservers**, select **Configure**. 4. Select **Create custom nameservers just for `your-domain.com`** and enter the subdomains used for the ZCNS names (for example, `ns1`, `ns2`, `ns3`). +5. Select **Save** to confirm. @@ -41,7 +42,7 @@ Use the [Edit zone endpoint](/api/operations/zones-0-patch) and specify the cust -Cloudflare will assign an IPv4 and an IPv6 address to each ZCNS name and automatically create the associated `A` or `AAAA` records (visible after you refresh the page). +Cloudflare will assign an IPv4 and an IPv6 address to each ZCNS name and automatically create the associated `A` or `AAAA` records. The next step depends on whether you are using [Cloudflare Registrar](/registrar/) for your domain: @@ -63,7 +64,7 @@ To remove zone custom nameservers (and their associated, read-only DNS records): 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone. 2. Go to **DNS** > **Records**. -3. On **Custom nameservers**, select **Remove custom nameservers**. +3. On **Custom nameservers**, select **Disable**. From 465f80ee7fbb6604569f0c45ce3d2bfc75683c6a Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 13 Dec 2024 15:43:07 +0000 Subject: [PATCH 11/12] Update deprecated ACNS Metadata endpoint by DNS Settings for a zone --- .../custom-nameservers/account-custom-nameservers.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx index e006795fdfc0cfd..3b5e989ac0bd28a 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx @@ -88,7 +88,7 @@ Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name, and these -Use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) for each zone. +Use the endpoint [Update DNS Settings for a Zone](/api/operations/dns-settings-for-a-zone-update-dns-settings) and configure the `nameservers` object accordingly for each zone. @@ -158,7 +158,7 @@ Following the [configuration conditions](#configuration-conditions), each set mu 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Go to **Manage Account** > **Configurations**. +2. Go to **Manage Account** > **Configurations** > **DNS Settings**. 3. For **Account custom nameservers**, select **Delete** next to the ACNS name. From 4ae0ab004779633c1c96c021206f5fe21113e3cc Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 13 Dec 2024 16:08:08 +0000 Subject: [PATCH 12/12] Nit: fix links in multi-signer-dnssec/setup intro paragraph --- src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx index 90c0aab17668a60..77ab9187a4575b1 100644 --- a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx +++ b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx @@ -8,7 +8,7 @@ sidebar: import { Tabs, TabItem } from "~/components"; -This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html). +This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/about/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/#model-2) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html). ## Before you begin