Set up a child domain
When using a subdomain setup, the steps to create a child domain depend on the parent domain’s setup and whether the child domain already exists.
Subdomain setup is only available for Enterprise accounts.
Available setups
| Parent zone | Child zone | Available |
|---|---|---|
| Full or Secondary | Full | Yes |
| Full or Secondary | Secondary | Yes |
| Full or Secondary | Partial | No |
| Partial | Full | Yes |
| Partial | Secondary | Yes |
| Partial | Partial | Yes |
Parent domain on full setup
If the parent domain is using a full setup1, your child domain setup depends on whether the child domain already exists.
Subdomain does not exist in the parent domain
If you have not yet created a DNS record covering your child domain in the parent zone:
Add the child domain to the parent domain’s Cloudflare account or another account.
Get the nameserver names for the child domain. These will not be the same nameservers as the parent domain.
Within the DNS > Records of the parent zone, add two
NSrecords for the subdomain you want to delegate.For example, if you delegated
www.example.com, you might add the following records toexample.com:Type Name Content NSwww john.ns.cloudflare.com NSwww melinda.ns.cloudflare.com After a few minutes, the child domain will be active.
Create the various DNS records needed for your child domain.
(Optional) Enable DNSSEC on the child domain.
Subdomain already exists in the parent domain
If you have already created a DNS record covering your child domain in the parent zone:
Add the child domain to the parent domain’s Cloudflare account or another account.
In your child domain, re-create all DNS records that relate to your child domain. This includes all DNS records deeper than the delegated subdomain, meaning that if you are delegating
www.example.com, you should also move over records forapi.www.example.com.If the parent zone is in Cloudflare, make sure that you migrate over any settings (WAF custom rules, Rules, Workers, and more) that might be needed for the child domain.
In the child domain zone, order an advanced SSL certificate that covers the child subdomain and any deeper subdomains (if present).
Get the nameserver names for the child domain. These will not be the same nameservers as the parent domain.
Within the DNS > Records of the parent zone, delete all non-address records (meaning everything except for
A,AAAA, andCNAMErecords).Within the DNS > Records of the parent zone, leave one address record and delete the rest.
Change the type of the last address record to
NSand its content to one of the child domain’s nameserver names. If the parent domain is in Cloudflare, use aPATCHrequest to achieve this.Within the DNS > Records of the parent zone, create the second
NSrecord in the parent zone for the subdomain you want to delegate.For example, if you delegated
www.example.com, you might add the following records toexample.com:Type Name Content NSwww john.ns.cloudflare.com Flush the address records of your child domain in public resolvers ( 1.1.1.1 and 8.8.8.8).
Within a short period of time, the child domain should be active.
(Optional) Enable DNSSEC on the child domain.
Parent domain on partial setup
If the parent domain is using a partial setup2, your child domain setup depends on whether the child domain already exists.
Subdomain does not exist in the parent domain
If you have not yet created a DNS record covering your child domain in the parent zone:
- Add the child domain to the parent domain’s Cloudflare account or another account.
- Complete the configuration accordingly for Full or Secondary setup.
- After creating the DNS records on the child zone, add the Cloudflare nameservers as
NSrecords at your external DNS provider. - Within a short period of time, the child domain should be active.
- Add the child domain to the parent domain’s Cloudflare account or another account.
- Convert the child zone to a partial setup.
- Create the various DNS records needed for your child domain.
- Add the TXT verification record at your authoritative DNS provider.
- Within a short period of time, the child domain should be active.
- Add a
CNAMErecord at your authoritative DNS provider.
Subdomain already exists in the parent domain
If you have already created a DNS record covering your child domain in the parent domain:
Add the child domain to the parent domain’s Cloudflare account or another account.
In your child domain, re-create all DNS records that relate to your child domain. This includes all DNS records deeper than the delegated subdomain, meaning that if you are delegating
www.example.com, you should also move over records forapi.www.example.com.
- In the parent domain, make sure that you migrate over any settings (WAF custom rules, Rules, Workers, and more) that might be needed for the child domain.
- In the child domain, order an advanced SSL certificate that covers the child subdomain and any deeper subdomains.
- Get the Cloudflare nameservers for the child domain and add them as
NSrecords at your external DNS provider. - Within a short period of time, the child domain should be active.
- Within the DNS > Records of the parent zone, delete any
A,AAAA, orCNAMErecords referencing the child domain or any of its deeper subdomains.
Add the child domain to the parent domain’s Cloudflare account or another account.
Convert the child zone to a partial setup.
In your child domain, re-create all DNS records that relate to your child domain. This includes all DNS records deeper than the delegated subdomain, meaning that if you are delegating
www.example.com, you should also move over records forapi.www.example.com.
- In the parent domain, make sure that you migrate over any settings (WAF custom rules, Rules, Workers, and more) that might be needed for the child domain.
- In the child domain, order an advanced SSL certificate that covers the child subdomain and any deeper subdomains.
- Add the TXT verification record at your authoritative DNS provider.
- Within a short period of time, the child domain should be active.
- Within the DNS > Records of the parent zone, delete any previous
A,AAAA, orCNAMErecords referencing the child domain or any of its deeper subdomains, and add the CloudflareCNAMErecord.