Convert partial setup to secondary setup
If you initially set up a partial zone on Cloudflare, you can later convert it to use a secondary setup.
-
Meaning you have one or more subdomains (
sub.example.com
) added to Cloudflare as their own zone, separate from your apex domain (example.com
). ↩
This page will guide you through this conversion using export and import and API calls.
Make sure you consider the following:
- Proxying traffic with secondary zones requires a setting that is not turned on by default. Refer to Secondary DNS override to learn more. The steps below include enabling this setting.
- There are a few options for DNSSEC with incoming zone transfers. If you want to use DNSSEC, plan for which option you will configure and confirm that your other DNS provider(s) support the setup.
- You can prepare SSL/TLS in advance by either ordering an advanced certificate or uploading a custom certificate. You should confirm that the certificate covers all your proxied hostnames and that the status of your SSL certificate ↗ is Active.
- Export a zone file from the authoritative DNS provider you were using with your partial (CNAME) setup.
- Edit the zone file to remove any occurrences of the
cdn.cloudflare.net
suffix.
- If the
CNAME
target is only appending the Cloudflare suffix to the same hostname at which it is created, replace it by the records on the Cloudflare partial zone.
Example
Original record in authoritative DNS provider:
Type | Name | Content |
---|---|---|
CNAME | www.example.com | www.example.com.cdn.cloudflare.net |
Records in the Cloudflare partial zone:
Type | Name | Content |
---|---|---|
A | www.example.com | <IPv4> |
A | www.example.com | <IPv4> |
Final records adjusted in the zone file:
Type | Name | Content |
---|---|---|
A | www.example.com | <IPv4> |
A | www.example.com | <IPv4> |
- If the
CNAME
record points to a different hostname, keep this record but remove thecdn.cloudflare.net
suffix, and also bring the records from the Cloudflare partial zone.
Example
Original record in authoritative DNS provider:
Type | Name | Content |
---|---|---|
CNAME | www.example.com | other-hostname.example.com.cdn.cloudflare.net |
Records in the Cloudflare partial zone:
Type | Name | Content |
---|---|---|
A | other-hostname.example.com | <IPv4> |
A | other-hostname.example.com | <IPv4> |
Final records adjusted in the zone file:
Type | Name | Content |
---|---|---|
CNAME | www.example.com | other-hostname.example.com |
A | other-hostname.example.com | <IPv4> |
A | other-hostname.example.com | <IPv4> |
-
Use the Import DNS Records endpoint with a properly formatted zone file to import the records into your partial zone.
The zone file size limit is 256 KiB (262144 bytes).
Existing and already proxied records will not be overwritten by the import. -
Use the Update DNS Settings endpoint with
secondary_overrides
set totrue
, to enable Secondary DNS Override.
-
Use the Edit Zone endpoint with
type
set tosecondary
, to convert the zone type.You can verify if it answers as expected by querying the new assigned secondary nameservers. You can find your nameservers in DNS > Records ↗, and they should follow a format like
ns0123.secondary.cloudflare.com
.
- At your registrar, update your nameservers to point to the Cloudflare nameservers.
Once the time to live (TTL) of previous NS
records is expired and this information is evicted from resolvers' cache, your zone will be properly delegated to Cloudflare. In order to update DNS records, you must configure zone transfers in the next steps.
- Remove all references to
cdn.cloudflare.net
from your primary DNS provider. You can do this by importing the same zone file you prepared in Step 1 onto your primary zone.
- Enable outgoing zone transfers at your primary provider and create a peer DNS server on your Cloudflare account.
To create a peer server using the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Manage Account > Configurations.
- Select DNS Zone Transfers.
- For Peer DNS servers, select Create.
- Enter the following information, paying particular attention to:
- IP: Specifies where Cloudflare sends transfer requests to.
- Port: Specifies the IP Port for the transfer IP.
- Enable incremental (IXFR) zone transfers: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.
- Link an existing TSIG: If desired, link the TSIG you previously created.
- Select Create.
To create a peer DNS server using the API, send a POST request.
- Link your Cloudflare zone to the peer DNS server you just created.
- Go to DNS > Records.
- Under DNS Zone Transfers, select Manage linked peers.
- Choose a value for Zone refresh, which controls the number of seconds between zone updates from your primary DNS server.
- Select the peer server you previously created. If needed, you can link more than one peer server to a zone.
- Select Save to confirm.
Use the Update Secondary Zone Configuration endpoint to link your Cloudflare zone to the peer DNS server.
- In DNS > Settings ↗, confirm the linked peer is listed under DNS Zone Transfers, and select Initiate zone transfer. Alternatively, you can use the Force AXFR endpoint.