From c2d41169ed56b493931277bb6f66f0a2f1709e66 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 4 Jul 2025 10:10:50 +0100 Subject: [PATCH 01/13] Introduce new limitations section for advanced NS --- .../docs/dns/foundation-dns/advanced-nameservers.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx index eff393532fa9b0..2c4b634e4cffa7 100644 --- a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx +++ b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx @@ -12,9 +12,10 @@ Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) offer Consider the sections below for details about advanced nameservers, and refer to [Set up advanced nameservers](/dns/foundation-dns/setup/) to learn how to enable this feature. -:::caution - -::: +### Limitations + +- +- Wildcard records behave differently. If moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). ## Anycast network groups From da1a3bf71b731b10725875972a90c2634c913881 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 8 Jul 2025 10:57:11 +0100 Subject: [PATCH 02/13] Expand to more general considerations and move to setup.mdx --- .../dns/foundation-dns/advanced-nameservers.mdx | 5 ----- src/content/docs/dns/foundation-dns/setup.mdx | 13 ++++++++++++- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx index 2c4b634e4cffa7..097678e3dbad4f 100644 --- a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx +++ b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx @@ -12,11 +12,6 @@ Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) offer Consider the sections below for details about advanced nameservers, and refer to [Set up advanced nameservers](/dns/foundation-dns/setup/) to learn how to enable this feature. -### Limitations - -- -- Wildcard records behave differently. If moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). - ## Anycast network groups To increase resiliency, advanced nameserver IPs are advertised by only one of two anycast network groups. diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index d2852005f51068..9e3d23584e6b1a 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -6,10 +6,21 @@ sidebar: label: Setup --- -import { TabItem, Tabs, APIRequest } from "~/components"; +import { TabItem, Tabs, APIRequest, Render } from "~/components"; Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration. + +## Before you begin + +Before opting in for advanced nameservers, consider the following: + +- + +- Some behaviors are different from standard Cloudflare nameservers: + - Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). + - Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records on that subdomain (such as A, TXT, or CNAME) from the parent zone, even if those records exist. + ## Enable on a zone To enable advanced nameservers on an existing zone: From fab2b3ac18f5f1d6421a779bc930603f31f26073 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 8 Jul 2025 11:13:19 +0100 Subject: [PATCH 03/13] Text review and add example DNS table for delegation --- src/content/docs/dns/foundation-dns/setup.mdx | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index 9e3d23584e6b1a..63c8d2027691d3 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -6,7 +6,7 @@ sidebar: label: Setup --- -import { TabItem, Tabs, APIRequest, Render } from "~/components"; +import { TabItem, Tabs, APIRequest, Render, Details, Example } from "~/components"; Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration. @@ -19,7 +19,25 @@ Before opting in for advanced nameservers, consider the following: - Some behaviors are different from standard Cloudflare nameservers: - Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). - - Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records on that subdomain (such as A, TXT, or CNAME) from the parent zone, even if those records exist. + - Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on that subdomain from the parent zone, even if those records exist. + +
+ + + + DNS management for **example.com** + + | **Type** | **Name** | **Content** | + | -------- | -------- | ------------------------- | + | NS | www | ns1.externalhost.com | + | NS | www | ns2.externalhost.com | + | TXT | www | "5bb16e6b5a444eedb48ace40c471bcc9" | + | A | www | `192.0.2.1` | + + + In this example, the TXT record and the A record for `www.example.com` will not be served. + +
## Enable on a zone From dfe34d8d995fb821001a54a0b204283c5eb7ab83 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 8 Jul 2025 11:15:30 +0100 Subject: [PATCH 04/13] Re-add note on Advanced NS vs Custom NS to concept page --- src/content/docs/dns/foundation-dns/advanced-nameservers.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx index 097678e3dbad4f..915f338f6401b4 100644 --- a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx +++ b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx @@ -12,6 +12,10 @@ Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) offer Consider the sections below for details about advanced nameservers, and refer to [Set up advanced nameservers](/dns/foundation-dns/setup/) to learn how to enable this feature. +:::note + +::: + ## Anycast network groups To increase resiliency, advanced nameserver IPs are advertised by only one of two anycast network groups. From 9dbdbdebb4b59d88517257310410331fc24c5fbf Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 8 Jul 2025 11:33:49 +0100 Subject: [PATCH 05/13] Use specific header for more emphasis and better linking --- .../foundation-dns/advanced-nameservers.mdx | 1 + src/content/docs/dns/foundation-dns/setup.mdx | 41 +++++++++---------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx index 915f338f6401b4..2e29bf9d7fb301 100644 --- a/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx +++ b/src/content/docs/dns/foundation-dns/advanced-nameservers.mdx @@ -14,6 +14,7 @@ Consider the sections below for details about advanced nameservers, and refer to :::note +Also, [some behaviors are different](/dns/foundation-dns/setup/#differences-from-standard-nameservers) when compared to standard nameservers. ::: ## Anycast network groups diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index 63c8d2027691d3..d869b108bd9020 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -17,27 +17,26 @@ Before opting in for advanced nameservers, consider the following: - -- Some behaviors are different from standard Cloudflare nameservers: - - Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). - - Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on that subdomain from the parent zone, even if those records exist. - -
- - - - DNS management for **example.com** - - | **Type** | **Name** | **Content** | - | -------- | -------- | ------------------------- | - | NS | www | ns1.externalhost.com | - | NS | www | ns2.externalhost.com | - | TXT | www | "5bb16e6b5a444eedb48ace40c471bcc9" | - | A | www | `192.0.2.1` | - - - In this example, the TXT record and the A record for `www.example.com` will not be served. - -
+### Differences from standard nameservers + +Some behaviors are different from standard Cloudflare nameservers: +- Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). +- Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on that subdomain from the parent zone, even if those records exist. + +
+ + +DNS management for **example.com** +| **Type** | **Name** | **Content** | +| -------- | -------- | ------------------------- | +| NS | www | ns1.externalhost.com | +| NS | www | ns2.externalhost.com | +| TXT | www | "5bb16e6b5a444eedb48ace40c471bcc9" | +| A | www | `192.0.2.1` | + + +In this example, the TXT record and the A record for `www.example.com` will not be served. +
## Enable on a zone From 459ff3be89d13ccbc6bad800bf66c586a9f6910d Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 10 Jul 2025 10:05:35 +0100 Subject: [PATCH 06/13] Nest DNSSEC keys under Advanced NS in Foundation DNS features --- src/content/docs/dns/foundation-dns/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/dns/foundation-dns/index.mdx b/src/content/docs/dns/foundation-dns/index.mdx index c8e7494f27228f..6fc9ee9b9c8f15 100644 --- a/src/content/docs/dns/foundation-dns/index.mdx +++ b/src/content/docs/dns/foundation-dns/index.mdx @@ -14,7 +14,7 @@ With Foundation DNS, you get access to increased reliability, security, and insi * Strategically distributed IPs to enhance resiliency * Reduced exposure to incidents or software regression * More consistent nameserver assignment -* DNSSEC keys unique to your zone + * DNSSEC keys unique to your zone * Additional DNS settings, including: * [Zone defaults](/dns/additional-options/dns-zone-defaults/) * [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/) From 379645e6b0477229b7095d2821ad4da83fd92750 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 10 Jul 2025 10:06:58 +0100 Subject: [PATCH 07/13] Add note on advanced ns vs custom in account-custom-nameservers --- .../custom-nameservers/account-custom-nameservers.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx index 1c08ee62d880e0..7baa43c7933145 100644 --- a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx +++ b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx @@ -20,6 +20,10 @@ import { Example, Render, Tabs, TabItem } from "~/components" Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API or on the dashboard. +:::note + +::: + ## Configuration conditions For this configuration to be possible, a few conditions apply: From 984d455cb530b0ae6071186d35979ef23386cb06 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 10 Jul 2025 10:13:18 +0100 Subject: [PATCH 08/13] Further clarify advanced-vs-custom NS and align with UI messaging --- src/content/partials/dns/ns-advanced-vs-custom.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/dns/ns-advanced-vs-custom.mdx b/src/content/partials/dns/ns-advanced-vs-custom.mdx index 6e3c5f78af1bc3..085c0ab10e6714 100644 --- a/src/content/partials/dns/ns-advanced-vs-custom.mdx +++ b/src/content/partials/dns/ns-advanced-vs-custom.mdx @@ -3,4 +3,4 @@ --- -The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/). +The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/). Make sure you only use one at a time. From f6c51935d3059315ba5a5a8d56beebc12b8c0224 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 10 Jul 2025 10:15:40 +0100 Subject: [PATCH 09/13] Revert "Nest DNSSEC keys under Advanced NS in Foundation DNS features" This reverts commit 459ff3be89d13ccbc6bad800bf66c586a9f6910d. --- src/content/docs/dns/foundation-dns/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/dns/foundation-dns/index.mdx b/src/content/docs/dns/foundation-dns/index.mdx index 6fc9ee9b9c8f15..c8e7494f27228f 100644 --- a/src/content/docs/dns/foundation-dns/index.mdx +++ b/src/content/docs/dns/foundation-dns/index.mdx @@ -14,7 +14,7 @@ With Foundation DNS, you get access to increased reliability, security, and insi * Strategically distributed IPs to enhance resiliency * Reduced exposure to incidents or software regression * More consistent nameserver assignment - * DNSSEC keys unique to your zone +* DNSSEC keys unique to your zone * Additional DNS settings, including: * [Zone defaults](/dns/additional-options/dns-zone-defaults/) * [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/) From 61d7284facdf10563c462fea5b1a921a9a724ea1 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 24 Jul 2025 09:24:10 +0100 Subject: [PATCH 10/13] Replace 'zone' by 'account' in features list --- src/content/docs/dns/foundation-dns/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/dns/foundation-dns/index.mdx b/src/content/docs/dns/foundation-dns/index.mdx index c8e7494f27228f..27f34f03b35156 100644 --- a/src/content/docs/dns/foundation-dns/index.mdx +++ b/src/content/docs/dns/foundation-dns/index.mdx @@ -14,7 +14,7 @@ With Foundation DNS, you get access to increased reliability, security, and insi * Strategically distributed IPs to enhance resiliency * Reduced exposure to incidents or software regression * More consistent nameserver assignment -* DNSSEC keys unique to your zone +* DNSSEC keys unique to your account * Additional DNS settings, including: * [Zone defaults](/dns/additional-options/dns-zone-defaults/) * [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/) From 643fb6cdc28647ce1cee2581b020b7c8f14ee298 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 24 Jul 2025 10:15:57 +0100 Subject: [PATCH 11/13] Create dedicated page explaining Foundation DNSSEC keys --- .../docs/dns/foundation-dns/dnssec-keys.mdx | 17 +++++++++++++++++ src/content/docs/dns/foundation-dns/index.mdx | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 src/content/docs/dns/foundation-dns/dnssec-keys.mdx diff --git a/src/content/docs/dns/foundation-dns/dnssec-keys.mdx b/src/content/docs/dns/foundation-dns/dnssec-keys.mdx new file mode 100644 index 00000000000000..e60c78d2197a29 --- /dev/null +++ b/src/content/docs/dns/foundation-dns/dnssec-keys.mdx @@ -0,0 +1,17 @@ +--- +pcx_content_type: reference +title: DNSSEC keys +sidebar: + order: 5 + +--- + +With [Foundation DNS](/dns/foundation-dns/), the ZSK/KSK pair that is used for [DNSSEC](/dns/dnssec/) is unique to your Cloudflare account. + +All zones within your Cloudflare account - regardless of using [standard](/dns/nameservers/#standard-nameservers) or [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) - will use the dedicated Zone Signing Key (ZSK) and Key Signing Key (KSK) for DNSSEC. These keys are set at the account level. + +## Further reading + +For more background information, refer to [How DNSSEC works](https://www.cloudflare.com/learning/dns/dnssec/how-dnssec-works/). + +For details about DNSSEC settings at Cloudflare, consider the [DNSSEC documentation](/dns/dnssec/). \ No newline at end of file diff --git a/src/content/docs/dns/foundation-dns/index.mdx b/src/content/docs/dns/foundation-dns/index.mdx index 27f34f03b35156..bb448c2c67e53c 100644 --- a/src/content/docs/dns/foundation-dns/index.mdx +++ b/src/content/docs/dns/foundation-dns/index.mdx @@ -14,7 +14,7 @@ With Foundation DNS, you get access to increased reliability, security, and insi * Strategically distributed IPs to enhance resiliency * Reduced exposure to incidents or software regression * More consistent nameserver assignment -* DNSSEC keys unique to your account +* [DNSSEC keys](/dns/foundation-dns/dnssec-keys/) unique to your account * Additional DNS settings, including: * [Zone defaults](/dns/additional-options/dns-zone-defaults/) * [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/) From 37b56e65dd45429c07503739d11d2cca511a849e Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 31 Jul 2025 18:24:06 +0100 Subject: [PATCH 12/13] Add clarification on how to get unique DNSSEC keys --- src/content/docs/dns/foundation-dns/dnssec-keys.mdx | 2 +- src/content/docs/dns/foundation-dns/index.mdx | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/dnssec-keys.mdx b/src/content/docs/dns/foundation-dns/dnssec-keys.mdx index e60c78d2197a29..055be914c245a4 100644 --- a/src/content/docs/dns/foundation-dns/dnssec-keys.mdx +++ b/src/content/docs/dns/foundation-dns/dnssec-keys.mdx @@ -6,7 +6,7 @@ sidebar: --- -With [Foundation DNS](/dns/foundation-dns/), the ZSK/KSK pair that is used for [DNSSEC](/dns/dnssec/) is unique to your Cloudflare account. +With [Foundation DNS](/dns/foundation-dns/), you can request that the ZSK/KSK pair that is used for [DNSSEC](/dns/dnssec/) is unique to your Cloudflare account. To opt in to this feature, contact your account team. All zones within your Cloudflare account - regardless of using [standard](/dns/nameservers/#standard-nameservers) or [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) - will use the dedicated Zone Signing Key (ZSK) and Key Signing Key (KSK) for DNSSEC. These keys are set at the account level. diff --git a/src/content/docs/dns/foundation-dns/index.mdx b/src/content/docs/dns/foundation-dns/index.mdx index bb448c2c67e53c..22c25805590ef3 100644 --- a/src/content/docs/dns/foundation-dns/index.mdx +++ b/src/content/docs/dns/foundation-dns/index.mdx @@ -24,7 +24,9 @@ With Foundation DNS, you get access to increased reliability, security, and insi Foundation DNS is only available to Enterprise customers. -Advanced nameservers are an opt-in configuration. Refer to [set up advanced nameservers](/dns/foundation-dns/setup/). +:::note +Both advanced nameservers and unique ZSK/KSK are opt-in configurations. Refer to [set up advanced nameservers](/dns/foundation-dns/setup/) and [DNSSEC keys](/dns/foundation-dns/dnssec-keys/) for details. +::: ## Related resources From 0341a33fcd6248f8a4fa05ec28a7e7ce2828ce49 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Fri, 1 Aug 2025 08:29:21 +0100 Subject: [PATCH 13/13] Apply suggestions from code review Co-authored-by: Max Phillips --- src/content/docs/dns/foundation-dns/dnssec-keys.mdx | 2 +- src/content/docs/dns/foundation-dns/setup.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/dnssec-keys.mdx b/src/content/docs/dns/foundation-dns/dnssec-keys.mdx index 055be914c245a4..8eb76ead3ff9a1 100644 --- a/src/content/docs/dns/foundation-dns/dnssec-keys.mdx +++ b/src/content/docs/dns/foundation-dns/dnssec-keys.mdx @@ -14,4 +14,4 @@ All zones within your Cloudflare account - regardless of using [standard](/dns/n For more background information, refer to [How DNSSEC works](https://www.cloudflare.com/learning/dns/dnssec/how-dnssec-works/). -For details about DNSSEC settings at Cloudflare, consider the [DNSSEC documentation](/dns/dnssec/). \ No newline at end of file +For details about DNSSEC settings at Cloudflare, refer to the [DNSSEC documentation](/dns/dnssec/). \ No newline at end of file diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index d869b108bd9020..0ddd74d03a638e 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -21,7 +21,7 @@ Before opting in for advanced nameservers, consider the following: Some behaviors are different from standard Cloudflare nameservers: - Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`). -- Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on that subdomain from the parent zone, even if those records exist. +- Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on that subdomain from the parent zone, even if those records exist.