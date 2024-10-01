If you initially set up a partial zone on Cloudflare, you can later convert it to use a secondary setup.

Subdomain setup If you also use subdomain setup1, consider the available combinations and whether your zone conversion could have any implications.

This page will guide you through this conversion using export and import and API calls.

Before you begin

Make sure you consider the following:

Proxying traffic with secondary zones requires a setting that is not turned on by default. Refer to Secondary DNS override to learn more. The steps below include enabling this setting.

There are a few options for DNSSEC with incoming zone transfers. If you want to use DNSSEC, plan for which option you will configure and confirm that your other DNS provider(s) support the setup.

You can prepare SSL/TLS in advance by either ordering an advanced certificate or uploading a custom certificate. You should confirm that the certificate covers all your proxied hostnames and that the status of your SSL certificate ↗ is Active.

1. Prepare a zone file

Export a zone file from the authoritative DNS provider you were using with your partial (CNAME) setup. Edit the zone file to remove any occurrences of the cdn.cloudflare.net suffix.

If the CNAME target is only appending the Cloudflare suffix to the same hostname at which it is created, replace it by the records on the Cloudflare partial zone.

Example Original record in authoritative DNS provider: Type Name Content CNAME www.example.com www.example.com.cdn.cloudflare.net Records in the Cloudflare partial zone: Type Name Content A www.example.com <IPv4> A www.example.com <IPv4> Final records adjusted in the zone file: Type Name Content A www.example.com <IPv4> A www.example.com <IPv4>

If the CNAME record points to a different hostname, keep this record but remove the cdn.cloudflare.net suffix, and also bring the records from the Cloudflare partial zone.

Example Original record in authoritative DNS provider: Type Name Content CNAME www.example.com other-hostname.example.com.cdn.cloudflare.net Records in the Cloudflare partial zone: Type Name Content A other-hostname.example.com <IPv4> A other-hostname.example.com <IPv4> Final records adjusted in the zone file: Type Name Content CNAME www.example.com other-hostname.example.com A other-hostname.example.com <IPv4> A other-hostname.example.com <IPv4>

2. Configure the Cloudflare zone

Use the Import DNS Records endpoint with a properly formatted zone file to import the records into your partial zone. The zone file size limit is 256 KiB (262144 bytes). Existing and already proxied records will not be overwritten by the import. Use the Update DNS Settings endpoint with secondary_overrides set to true , to enable Secondary DNS Override.

Warning This step is essential so that Cloudflare can keep the proxy status of the records after the conversion.

Use the Edit Zone endpoint with type set to secondary , to convert the zone type. You can verify if it answers as expected by querying the new assigned secondary nameservers. You can find your nameservers in DNS > Records ↗, and they should follow a format like ns0123.secondary.cloudflare.com .

Terminal window # Replace ns0123 with your actual Cloudflare nameservers dig example.com @ns0123.secondary.cloudflare.com

At your registrar, update your nameservers to point to the Cloudflare nameservers.

Once the time to live (TTL) of previous NS records is expired and this information is evicted from resolvers’ cache, your zone will be properly delegated to Cloudflare. In order to update DNS records, you must configure zone transfers in the next steps.

3. Configure the zone transfers

Remove all references to cdn.cloudflare.net from your primary DNS provider. You can do this by importing the same zone file you prepared in Step 1 onto your primary zone.

Warning If you keep any DNS records that still refer cdn.cloudflare.net , HTTP traffic for the respective hostnames will break.

Enable outgoing zone transfers at your primary provider and create a peer DNS server on your Cloudflare account.

Dashboard

API To create a peer server using the dashboard: Log in to the Cloudflare dashboard ↗ and select your account. Go to Manage Account > Configurations. Select DNS Zone Transfers. For Peer DNS servers, select Create. Enter the following information, paying particular attention to: IP : Specifies where Cloudflare sends transfer requests to.

: Specifies where Cloudflare sends transfer requests to. Port : Specifies the IP Port for the transfer IP.

: Specifies the IP Port for the transfer IP. Enable incremental (IXFR) zone transfers : Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.

: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests. Link an existing TSIG: If desired, link the TSIG you previously created. Select Create. To create a peer DNS server using the API, send a POST request.

Link your Cloudflare zone to the peer DNS server you just created.

Dashboard

API Go to DNS > Records. Under DNS Zone Transfers, select Manage linked peers. Choose a value for Zone refresh, which controls the number of seconds between zone updates from your primary DNS server. Warning Cloudflare will not use the REFRESH value inside the SOA record that is served by your primary provider. Instead the value of zone refresh configured for your secondary zone on Cloudflare will be used to determine the interval after which the SOA serial of the primary zone will be checked for changes. Select the peer server you previously created. If needed, you can link more than one peer server to a zone. Select Save to confirm. Use the Update Secondary Zone Configuration endpoint to link your Cloudflare zone to the peer DNS server.