With outgoing zone transfers, you keep Cloudflare as your primary DNS provider and use one or more secondary providers for increased availability and fault tolerance.
If you want to use DNSSEC with outgoing zone transfers, you should configure multi-signer DNSSEC. After setting up Cloudflare as primary, follow the steps below to enable DNSSEC.
Note that:
status to active and dnssec_multi_signer to true, as in the following example.curl --request PATCH \'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "status": "active", "dnssec_multi_signer": true}'curl 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "type": "DNSKEY", "name": "<ZONE_NAME>", "data": { "flags": 256, "protocol": 3, "algorithm": 13, "public_key": "<PUBLIC_KEY>" }, "ttl": 3600}'Once the DNSKEY record is transferred out from Cloudflare to your secondary provider, get Cloudflare’s ZSK and manually add it to the DNSKEY record.
Currently, the ZSK is not automatically transferred out. You can use either the API or a query from one of the assigned Cloudflare nameservers to obtain it.
API example:
curl 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"Command line query example:
$ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256The nameserver settings at your registrar should include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.