cloudflare · RebeccaTamachiro · Aug 1, 2025 · Jul 4, 2025 · Jul 8, 2025 · Jul 8, 2025
@@ -12,8 +12,9 @@ Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) offer
 
 Consider the sections below for details about advanced nameservers, and refer to [Set up advanced nameservers](/dns/foundation-dns/setup/) to learn how to enable this feature.
 
-:::caution
- <Render file="ns-advanced-vs-custom" /> 
+:::note
+<Render file="ns-advanced-vs-custom" />
+Also, [some behaviors are different](/dns/foundation-dns/setup/#differences-from-standard-nameservers) when compared to standard nameservers.
 :::
 
 ## Anycast network groups

@@ -0,0 +1,17 @@
+---
+pcx_content_type: reference
+title: DNSSEC keys
+sidebar:
+  order: 5
+
+---
+
+With [Foundation DNS](/dns/foundation-dns/), you can request that the ZSK/KSK pair that is used for [DNSSEC](/dns/dnssec/) is unique to your Cloudflare account. To opt in to this feature, contact your account team.
+
+All zones within your Cloudflare account - regardless of using [standard](/dns/nameservers/#standard-nameservers) or [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) - will use the dedicated Zone Signing Key (ZSK) and Key Signing Key (KSK) for DNSSEC. These keys are set at the account level.
+
+## Further reading
+
+For more background information, refer to [How DNSSEC works](https://www.cloudflare.com/learning/dns/dnssec/how-dnssec-works/).
+
+For details about DNSSEC settings at Cloudflare, consider the [DNSSEC documentation](/dns/dnssec/).
@@ -14,7 +14,7 @@ With Foundation DNS, you get access to increased reliability, security, and insi
   * Strategically distributed IPs to enhance resiliency
   * Reduced exposure to incidents or software regression
   * More consistent nameserver assignment
-* DNSSEC keys unique to your zone
+* [DNSSEC keys](/dns/foundation-dns/dnssec-keys/) unique to your account
 * Additional DNS settings, including:
   * [Zone defaults](/dns/additional-options/dns-zone-defaults/)
   * [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/)
@@ -24,7 +24,9 @@ With Foundation DNS, you get access to increased reliability, security, and insi
 
 Foundation DNS is only available to Enterprise customers.
 
-Advanced nameservers are an opt-in configuration. Refer to [set up advanced nameservers](/dns/foundation-dns/setup/).
+:::note
+Both advanced nameservers and unique ZSK/KSK are opt-in configurations. Refer to [set up advanced nameservers](/dns/foundation-dns/setup/) and [DNSSEC keys](/dns/foundation-dns/dnssec-keys/) for details.
+:::
 
 ## Related resources
 

@@ -6,10 +6,38 @@ sidebar:
   label: Setup
 ---
 
-import { TabItem, Tabs, APIRequest } from "~/components";
+import { TabItem, Tabs, APIRequest, Render, Details, Example } from "~/components";
 
 Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration.
 
+
+## Before you begin
+
+Before opting in for advanced nameservers, consider the following:
+
+- <Render file="ns-advanced-vs-custom" />
+
+### Differences from standard nameservers
+
+Some behaviors are different from standard Cloudflare nameservers:
+- Wildcard records: if moving from standard Cloudflare nameservers to Foundation DNS advanced nameservers, make sure to explicitly create records for subdomains currently covered by wildcard records (`*.example.com`).
+- Subdomain delegation: once a subdomain is delegated via NS records, Cloudflare will not serve any other records (such as A, TXT, or CNAME) on  that subdomain from the parent zone, even if those records exist.
+
+<Details header="Example">
+
+<Example>
+DNS management for **example.com**
+| **Type** | **Name** | **Content**               |
+| -------- | -------- | ------------------------- |
+| NS     | www      | ns1.externalhost.com     |
+| NS     | www      | ns2.externalhost.com  |
+| TXT    | www      | "5bb16e6b5a444eedb48ace40c471bcc9" |
+| A     | www      | `192.0.2.1` |
+</Example>
+
+In this example, the TXT record and the A record for `www.example.com` will not be served.
+</Details>
+
 ## Enable on a zone
 
 To enable advanced nameservers on an existing zone:

@@ -20,6 +20,10 @@ import { Example, Render, Tabs, TabItem } from "~/components"
 
 Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API or on the dashboard.
 
+:::note
+<Render file="ns-advanced-vs-custom" />
+:::
+
 ## Configuration conditions
 
 For this configuration to be possible, a few conditions apply:

@@ -3,4 +3,4 @@
 
 ---
 
-The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/).
+The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/). Make sure you only use one at a time.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,4 +3,4 @@

		---

		The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/).
		The advantages that come with Foundation DNS [advanced nameservers](/dns/foundation-dns/advanced-nameservers/) are currently not available for [custom nameservers](/dns/nameservers/custom-nameservers/). Make sure you only use one at a time.