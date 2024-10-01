If you initially configured a full setup, you can later convert your zone to use incoming zone transfers (Cloudflare as secondary).

Subdomain setup If you also use subdomain setup1, consider the available combinations and whether your zone conversion could have any implications.

Follow the steps below to achieve this conversion.

1. Prepare DNS records

Export a zone file. Import the zone file into your new primary DNS provider. At your Cloudflare zone, use the Update DNS Settings endpoint to enable secondary DNS overrides. Set the value for secondary_overrides to true . Note Enabling secondary DNS overrides is necessary in case you have DNS records that you wish to keep proxied .

2. Prepare the zone transfers

Make adjustments to DNSSEC according to your option for DNSSEC with secondary setup. (Optional) Create a Transaction Signature (TSIG). A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server. Note The TSIG names configured at your primary and secondary DNS providers have to be exactly the same. Any differences in TSIG names will cause zone transfers to fail. While optional, this step is highly recommended. Dashboard

API To create a TSIG using the dashboard: Log in to the Cloudflare dashboard ↗ and select your account. Go to Manage Account > Configurations. Select DNS Zone Transfers. For TSIG, select Create. Enter the following information: TSIG name : The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2 ↗ ).

: The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2 ). Secret (optional) : Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret.

: Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret. Algorithm: Choose a TSIG signing algorithm. Select Create. To create a TSIG using the API, send a POST request. Create a peer server. Dashboard

API To create a peer server using the dashboard: Log in to the Cloudflare dashboard ↗ and select your account. Go to Manage Account > Configurations. Select DNS Zone Transfers. For Peer DNS servers, select Create. Enter the following information, paying particular attention to: IP : Specifies where Cloudflare sends transfer requests to.

: Specifies where Cloudflare sends transfer requests to. Port : Specifies the IP Port for the transfer IP.

: Specifies the IP Port for the transfer IP. Enable incremental (IXFR) zone transfers : Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.

: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests. Link an existing TSIG: If desired, link the TSIG you previously created. Select Create. To create a peer DNS server using the API, send a POST request.

3. Convert the zone and initiate zone transfers