diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index 3493b0bad7b8e5c..d268725d4d31873 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -17,6 +17,10 @@ import { Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration. +:::note +After enabling advanced nameservers, standard nameservers still respond to DNS queries. +::: + ## Before you begin Before opting in for advanced nameservers, consider the following: diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx index 2271e7d9a1287fe..dfbd6ae44737344 100644 --- a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx +++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx @@ -14,28 +14,11 @@ import { Render, TabItem, Tabs, APIRequest, DashButton } from "~/components"; With [outgoing zone transfers](/dns/zone-setups/zone-transfers/cloudflare-as-primary/), you can keep Cloudflare as your primary DNS provider and use one or more secondary providers for increased availability and fault tolerance. -## Aspects to consider - -### DNS-only CNAME records - -As explained in [DNS record types](/dns/manage-dns-records/reference/dns-record-types/#cname), Cloudflare uses a process called [CNAME flattening](/dns/cname-flattening/) to return the final IP address instead of the CNAME target. CNAME flattening improves performance and is also what allows you to set a CNAME record on the zone apex. - -Depending on the [settings](/dns/cname-flattening/set-up-cname-flattening/) you have, when you use DNS-only CNAME records with outgoing zone transfers, you can expect the following: - -- For DNS-only CNAME records on the zone apex, Cloudflare will always transfer out the flattened IP addresses. -- For DNS-only CNAME records on subdomains, Cloudflare will only transfer out flattened IP addresses if the setting [**Flatten all CNAMEs**](/dns/cname-flattening/set-up-cname-flattening/#for-all-cname-records) is enabled. - -### Proxied records - -For each [proxied DNS record](/dns/proxy-status/) in your zone, Cloudflare will transfer out two `A` and two `AAAA` records. - -These records correspond to the [Cloudflare IP addresses](https://www.cloudflare.com/ips) used for proxying traffic. - ## Before you begin Make sure your account team has enabled your zone for outgoing zone transfers. -Review your [existing DNS records](/dns/manage-dns-records/how-to/create-dns-records/) to make sure all of them have the desired **Proxy status**. +Consider the [expected behaviors](/dns/zone-setups/zone-transfers/cloudflare-as-primary/transfer-criteria/) for different record types, and review your [existing DNS records](/dns/manage-dns-records/how-to/create-dns-records/) to make sure all of them have the desired **Proxy status**. If using the API, you may also want to [locate your Zone and Account IDs](/fundamentals/account/find-account-and-zone-ids/). diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/transfer-criteria.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/transfer-criteria.mdx new file mode 100644 index 000000000000000..2f222bce5fe5726 --- /dev/null +++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/transfer-criteria.mdx @@ -0,0 +1,42 @@ +--- +pcx_content_type: reference +title: Records transfer +sidebar: + order: 9 +--- + +Consider the sections below to understand the expected behaviors, depending on DNS record type and proxied status. + + +## Proxied records + +For each [proxied DNS record](/dns/proxy-status/) in your zone, Cloudflare will transfer out two `A` and two `AAAA` records. + +These records correspond to the [Cloudflare IP addresses](https://www.cloudflare.com/ips) used for proxying traffic. + +## DNS-only CNAME records + +As explained in [DNS record types](/dns/manage-dns-records/reference/dns-record-types/#cname), Cloudflare uses a process called [CNAME flattening](/dns/cname-flattening/) to return the final IP address instead of the CNAME target. CNAME flattening improves performance and is also what allows you to set a CNAME record on the zone apex. + +Depending on the [settings](/dns/cname-flattening/set-up-cname-flattening/) you have, when you use DNS-only CNAME records with outgoing zone transfers, you can expect the following: + +- For DNS-only CNAME records on the zone apex, Cloudflare will always transfer out the flattened IP addresses. +- For DNS-only CNAME records on subdomains, Cloudflare will only transfer out flattened IP addresses if the setting [**CNAME flattening for all CNAME records**](/dns/cname-flattening/set-up-cname-flattening/#for-all-cname-records) is enabled. + +:::note[Per-record CNAME flattening] + +For records using [per-record CNAME flattening](/dns/cname-flattening/set-up-cname-flattening/#per-record) (meaning **CNAME flattening for all CNAME records** is disabled), Cloudflare will transfer out the CNAME, not the flattened IP address. + +::: + +## Records that are not transferred + +The following records are not transferred out when you use Cloudflare as primary: + +- [CAA records](/ssl/edge-certificates/caa-records/) +- TXT records used for TLS certificate validation +- DNS-only [Load Balancing](/load-balancing/load-balancers/dns-records/) records + +:::note +Proxied Load Balancing records are transferred as explained in [Proxied records](#proxied-records). +::: \ No newline at end of file diff --git a/src/content/docs/learning-paths/application-security/default-traffic-security/ssl.mdx b/src/content/docs/learning-paths/application-security/default-traffic-security/ssl.mdx index 948a3ac9a58c3b2..952f4a343070189 100644 --- a/src/content/docs/learning-paths/application-security/default-traffic-security/ssl.mdx +++ b/src/content/docs/learning-paths/application-security/default-traffic-security/ssl.mdx @@ -10,18 +10,16 @@ Cloudflare offers a range of SSL/TLS options. By default, Cloudflare offers Univ 1. [**Universal SSL**](/ssl/edge-certificates/universal-ssl/): This option covers basic encryption requirements and certificate management needs. -2. [**Foundation DNS**](/dns/foundation-dns/): Foundation DNS is an Enterprise option that provides strategically distributed IPs to enhance resiliency, reduced exposure to incidents or software regression and more consistent nameserver assignment. +2. [**Total TLS**](/ssl/edge-certificates/additional-options/total-tls/): Automatically issues certificates for all subdomain levels, extending the protection offered by Universal SSL. -3. [**Total TLS**](/ssl/edge-certificates/additional-options/total-tls/): Automatically issues certificates for all subdomain levels, extending the protection offered by Universal SSL. +3. [**Advanced Certificates**](/ssl/edge-certificates/advanced-certificate-manager/): Offers customizable certificate issuance and management, including options like choosing the certificate authority, certificate validity period, and removing Cloudflare branding from certificates. -4. [**Advanced Certificates**](/ssl/edge-certificates/advanced-certificate-manager/): Offers customizable certificate issuance and management, including options like choosing the certificate authority, certificate validity period, and removing Cloudflare branding from certificates. +4. [**Custom Certificates**](/ssl/edge-certificates/custom-certificates/): For eligible plans, customers can upload their own certificates, with the user managing issuance and renewal. -5. [**Custom Certificates**](/ssl/edge-certificates/custom-certificates/): For eligible plans, customers can upload their own certificates, with the user managing issuance and renewal. +5. [**mTLS Client Certificates**](/ssl/client-certificates/): Cloudflare offers a PKI system, used to create client certificates, which can enforce mutual Transport Layer Security (mTLS) encryption. -6. [**mTLS Client Certificates**](/ssl/client-certificates/): Cloudflare offers a PKI system, used to create client certificates, which can enforce mutual Transport Layer Security (mTLS) encryption. +6. [**Cloudflare for SaaS Custom Hostnames**](/cloudflare-for-platforms/cloudflare-for-saas/): This feature enables SaaS providers to offer their clients the ability to use their own domains while benefiting from Cloudflare's network. -7. [**Cloudflare for SaaS Custom Hostnames**](/cloudflare-for-platforms/cloudflare-for-saas/): This feature enables SaaS providers to offer their clients the ability to use their own domains while benefiting from Cloudflare's network. +7. [**Keyless SSL Certificates**](/ssl/keyless-ssl/): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys. -8. [**Keyless SSL Certificates**](/ssl/keyless-ssl/): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys. - -9. [**Origin Certificates**](/ssl/origin-configuration/origin-ca/): Origin CA certificates from Cloudflare are used to encrypt traffic between Cloudflare and your origin web server. These certificates are created through the Cloudflare dashboard and can be configured with a choice of RSA or ECC private keys and support for various server types. +8. [**Origin Certificates**](/ssl/origin-configuration/origin-ca/): Origin CA certificates from Cloudflare are used to encrypt traffic between Cloudflare and your origin web server. These certificates are created through the Cloudflare dashboard and can be configured with a choice of RSA or ECC private keys and support for various server types.