[DNS] Zone conversions guides

public/_redirects

@@ -324,6 +324,8 @@
 /dns/manage-dns-records/how-to/dns-load-balancing/ /dns/manage-dns-records/how-to/round-robin-dns/ 301
 /dns/manage-dns-records/how-to/create-root-domain/ /dns/manage-dns-records/how-to/create-zone-apex/ 301
 /dns/reference/troubleshooting/ /dns/reference/recommended-third-party-tools/ 301
+/dns/zone-setups/partial-setup/convert-partial-to-full/ /dns/zone-setups/conversions/convert-partial-to-full/ 301
+/dns/zone-setups/partial-setup/convert-partial-to-secondary/ /dns/zone-setups/conversions/convert-partial-to-secondary/ 301
 /dns/zone-setups/troubleshooting/dns-probe-finished-nxdomain/ /dns/troubleshooting/dns-probe-finished-nxdomain/ 301
 /dns/zone-setups/troubleshooting/nameservers/ /dns/zone-setups/full-setup/troubleshooting/ 301
 /support/dns/ /dns/ 301

src/content/docs/dns/zone-setups/conversions/convert-full-to-partial.mdx

@@ -0,0 +1,8 @@
+---
+pcx_content_type: navigation
+title: Convert full setup to partial setup
+external_link: /dns/zone-setups/partial-setup/setup/
+sidebar:
+  order: 1
+  label: Full to partial
+---

src/content/docs/dns/zone-setups/conversions/convert-full-to-secondary.mdx

@@ -0,0 +1,56 @@
+---
+title: Convert full setup to secondary setup
+pcx_content_type: tutorial
+sidebar:
+  order: 2
+  label: Full to secondary
+---
+
+import { Tabs, TabItem, Render, GlossaryTooltip } from "~/components";
+
+If you initially configured a [full setup](/dns/zone-setups/full-setup/), you can later convert your zone to use [incoming zone transfers (Cloudflare as secondary)](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/).
+
+<Render file="conversion-subdomain-setup-callout" />
+
+Follow the steps below to achieve this conversion.
+
+## 1. Prepare DNS records
+
+1. [Export a zone file](/dns/manage-dns-records/how-to/import-and-export/#export-records).
+2. Import the zone file into your new primary DNS provider.
+3. At your Cloudflare zone, use the [Update DNS Settings](/api/operations/dns-settings-for-a-zone-update-dns-settings) endpoint to enable [secondary DNS overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/). Set the value for `secondary_overrides` to `true`.
+
+    :::note
+    Enabling secondary DNS overrides is necessary in case you have DNS records that you wish to keep <GlossaryTooltip term="proxy status" link="/dns/manage-dns-records/reference/proxied-dns-records/">proxied</GlossaryTooltip>.
+    :::
+
+## 2. Prepare the zone transfers
+
+1. Make adjustments to DNSSEC according to your option for [DNSSEC with secondary setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/).
+2. (Optional) Create a Transaction Signature (TSIG).
+
+    <Render file="tsig-definition" />
+
+    <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+    <Render file="tsig-create-dash" />
+
+    </TabItem> <TabItem label="API">
+
+    <Render file="tsig-create-api" />
+
+    </TabItem> </Tabs>
+
+3. Create a peer server.
+
+    <Render file="create-peer-server" />
+
+## 3. Convert the zone and initiate zone transfers
+
+1. Use the [Edit Zone endpoint](/api/operations/zones-0-patch) with `type` set to `secondary` to convert the zone type. The existing records will remain in place.
+2. Go to **DNS** > **Settings** > **DNS Zone Transfers** and select **Manage linked peers**.
+3. Link the peer server you created in the previous steps and select **Save**.
+4. On  **DNS** > **Settings**, select **Initiate zone transfer**.
+5. Confirm the DNS records are transferring as expected.
+6. Go to [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) and take note of your new **Cloudflare Nameservers**.
+7. At your domain registrar (or parent zone), [update your nameservers](/dns/nameservers/update-nameservers/) to include the `secondary.cloudflare.com` nameservers.

src/content/docs/dns/zone-setups/partial-setup/convert-partial-to-full.mdx → src/content/docs/dns/zone-setups/conversions/convert-partial-to-full.mdx

@@ -1,16 +1,17 @@
 ---
-title: Convert to full setup
+title: Convert partial setup to full setup
 pcx_content_type: tutorial
 sidebar:
-  order: 3
-head:
-  - tag: title
-    content: Convert partial setup to full setup
-
+  order: 4
+  label: Partial to full
 ---
 
+import { Render } from "~/components";
+
 If you initially set up a partial domain on Cloudflare, you can later migrate it to a [full setup](/dns/zone-setups/full-setup/).
 
+<Render file="conversion-subdomain-setup-callout" />
+
 ## 1. Prepare Cloudflare SSL/TLS
 
 In the Cloudflare dashboard, either order an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) or [upload a custom SSL certificate](/ssl/edge-certificates/custom-certificates/uploading/) for your website or application.

src/content/docs/dns/zone-setups/partial-setup/convert-partial-to-secondary.mdx → src/content/docs/dns/zone-setups/conversions/convert-partial-to-secondary.mdx

@@ -1,17 +1,17 @@
 ---
-title: Convert to secondary setup
+title: Convert partial setup to secondary setup
 pcx_content_type: tutorial
 sidebar:
-  order: 4
-head:
-  - tag: title
-    content: Convert partial setup to secondary setup
+  order: 5
+  label: Partial to secondary
 ---
 
 import { Details, Render, TabItem, Tabs } from "~/components";
 
 If you initially set up a [partial zone](/dns/zone-setups/partial-setup/) on Cloudflare, you can later convert it to use a [secondary setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/).
 
+<Render file="conversion-subdomain-setup-callout" />
+
 This page will guide you through this conversion using [export and import](/dns/manage-dns-records/how-to/import-and-export/) and API calls.
 
 ## Before you begin

src/content/docs/dns/zone-setups/conversions/convert-secondary-to-full.mdx

@@ -0,0 +1,43 @@
+---
+title: Convert secondary setup to full setup
+pcx_content_type: tutorial
+sidebar:
+  order: 7
+  label: Secondary to full
+
+---
+
+import { Render } from "~/components";
+
+If you initially set up [incoming zone transfers (Cloudflare as secondary)](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/), you can later convert your zone to use a full setup.
+
+<Render file="conversion-subdomain-setup-callout" />
+
+Follow the steps below to achieve this conversion.
+
+## 1. Stop transferring the zone
+
+<Render file="secondary-conversion-unlink" />
+
+## 2. Prepare for the conversion
+
+1. Plan for [DNSSEC settings](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/). If you were previously using [Pre-signed DNSSEC](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/#set-up-pre-signed-dnssec), consider disabling DNSSEC before starting the conversion.
+2. Make sure the [proxy statuses](/dns/manage-dns-records/reference/proxied-dns-records/) of your DNS records are consistently set:
+
+    - If you have [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/), confirm each record has the appropriate setting (**Proxied** or **DNS only**).
+    - If [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is disabled, make sure all of your DNS records are listed as **DNS only**.
+
+3. (Optional) For consistency, use the [Update DNS Settings](/api/operations/dns-settings-for-a-zone-update-dns-settings) endpoint to specify SOA record fields according to your needs. Once Cloudflare automatically generates an SOA record for your zone on full setup, the field overrides will be considered.
+
+## 3. Convert your zone
+
+1. Use the [Edit Zone endpoint](/api/operations/zones-0-patch) with `type` set to `full` to convert the zone type. Existing DNS records will not be affected.
+2. Go to [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) and take note of your new **Cloudflare Nameservers**.
+3. At your domain registrar (or parent zone), [update your nameservers](/dns/nameservers/update-nameservers/). Replace the nameservers ending in `secondary.cloudflare.com` by the ones ending in `ns.cloudflare.com`.
+
+    :::note
+    If Cloudflare will be your only primary DNS provider, remove any other nameservers as well.
+    :::
+
+4. Delete the previous SOA record to make sure Cloudflare generates a new one.
+5. (Optional) If Cloudflare was previously not signing your records and you wish to use DNSSEC, follow the steps to [Enable DNSSEC](/dns/dnssec/#enable-dnssec).

src/content/docs/dns/zone-setups/conversions/convert-secondary-to-partial.mdx

@@ -0,0 +1,68 @@
+---
+title: Convert secondary setup to partial setup
+pcx_content_type: tutorial
+sidebar:
+  order: 8
+  label: Secondary to partial
+
+---
+
+
+import { GlossaryTooltip, Details, Render } from "~/components";
+
+If you initially set up [incoming zone transfers (Cloudflare as secondary)](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/), you can later convert your zone to use a <GlossaryTooltip term="partial setup">partial setup</GlossaryTooltip>.
+
+<Render file="conversion-subdomain-setup-callout" />
+
+Follow the steps below to achieve this conversion.
+
+## 1. Stop transferring the zone
+
+<Render file="secondary-conversion-unlink" />
+
+## 2. Configure your authoritative DNS provider
+
+1. (Optional) If you are also migrating to a new authoritative DNS provider, export a zone file from the previous provider and import it into the new one.
+2. At your authoritative DNS provider, create `CNAME` records pointing to `{your-hostname}.cdn.cloudflare.net` for every hostname you wish to proxy through Cloudflare.
+
+    <Details header="Example CNAME record at authoritative DNS provider">
+
+    The `CNAME` record for `www.example.com` would be:
+
+    ```txt
+    www.example.com CNAME www.example.com.cdn.cloudflare.net
+    ```
+    </Details>
+
+3. At your authoritative DNS provider, remove any previously existing `A`, `AAAA`, or `CNAME` records referencing the hostnames you want to proxy through Cloudflare. For these hostnames, leave only the records pointing to `{your-hostname}.cdn.cloudflare.net`.
+
+## 3. Convert your Cloudflare zone
+
+1. Back at your Cloudflare zone, confirm that you have all the `A`, `AAAA`, or `CNAME` [DNS records](/dns/manage-dns-records/how-to/create-dns-records/) needed for the hostnames you pointed to `{your-hostname}.cdn.cloudflare.net` in the previous step. You can also delete any DNS records that have a different type, as they will no longer resolve once you convert your zone to a partial setup.
+2. Use the [Edit Zone endpoint](/api/operations/zones-0-patch) with `type` set to `partial` to convert the zone type. Existing DNS records will not be affected.
+3. On [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records), get the **Verification TXT Record** and add it at your authoritative DNS provider.
+
+    <Details header="Example verification record">
+
+    A verification record for `sub.example.com` might be:
+
+    | Type | Name                            | Content             |
+    | ---- | ------------------------------- | ------------------- |
+    | TXT  | `cloudflare-verify.sub.example.com` | 966215192-518620144 |
+
+    If your authoritative DNS provider automatically appends DNS record `name` fields with your domain, make sure to only insert `cloudflare-verify` as the record name. Otherwise, it may result in an incorrect record name, such as `cloudflare-verify.sub.example.com.sub.example.com`.
+
+    After creating the record, you can use this [Dig Web Interface link](https://digwebinterface.com/?type=TXT&ns=auth&nameservers=) to search (`dig`) for `cloudflare-verify.<YOUR DOMAIN>` and validate if it is working.
+
+    </Details>
+
+    :::note
+    The verification record must remain in place for as long as you want your partial setup to be active on Cloudflare.
+    :::
+
+## 4. Update nameservers
+
+At your domain registrar (or parent zone), [update the nameservers](/dns/nameservers/update-nameservers/). In a partial (CNAME) setup, only the nameservers of your external DNS provider should be listed.
+
+    - Remove any `secondary.cloudflare.com` nameservers if you used to have them.
+    - If you are also migrating to a new authoritative DNS provider, add your new nameservers.

src/content/docs/dns/zone-setups/conversions/index.mdx

@@ -0,0 +1,15 @@
+---
+pcx_content_type: navigation
+title: Zone setup conversions
+sidebar:
+  order: 10
+  group:
+    hideIndex: true
+    label: Zone conversions
+---
+
+import { DirectoryListing } from "~/components";
+
+You can perform the following zone setup conversions:
+
+<DirectoryListing />

src/content/docs/dns/zone-setups/partial-setup/index.mdx

@@ -15,7 +15,8 @@ Once you are on a partial setup, the actual resolution of your records to Cloudf
 ## How to
 
 * [Set up a partial domain](/dns/zone-setups/partial-setup/setup/)
-* [Convert a partial domain to a full domain](/dns/zone-setups/partial-setup/convert-partial-to-full/)
+* [Convert a partial setup to a full setup](/dns/zone-setups/conversions/convert-partial-to-full/)
+* [Convert a partial setup to a secondary setup](/dns/zone-setups/conversions/convert-partial-to-secondary/)
 
 ## Availability
 

src/content/docs/dns/zone-setups/removal.mdx

@@ -2,7 +2,7 @@
 title: Zone removal
 pcx_content_type: concept
 sidebar:
-  order: 8
+  order: 12
 
 ---
 

src/content/partials/dns/conversion-subdomain-setup-callout.mdx

@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+:::caution[Subdomain setup]
+If you also use subdomain setup[^1], consider the [available combinations](/dns/zone-setups/subdomain-setup/setup/#available-setups) and whether your zone conversion could have any implications.
+:::
+
+[^1]: Meaning you have one or more subdomains (`sub.example.com`) added to Cloudflare as their own zone, separate from your apex domain (`example.com`).

src/content/partials/dns/secondary-conversion-unlink.mdx

@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone.
+2. Go to **DNS** > **Settings** > **DNS Zone Transfers** and select **Manage linked peers**.
+3. Unlink the peer and select **Save**.
+
+At this point, your zone will be read-only.