Follow this tutorial to migrate an existing DNS zone to Cloudflare without having to disable DNSSEC.
This is an advanced procedure and assume some familiarity with DNS concepts , API operations , and basic setup steps. Assumed knowledge that is not detailed in this tutorial can be referenced through the linked content in each of the steps.
The provider you are migrating from must allow you to add DNSKEY records on the zone apex and use these records in responses to DNS queries.
Add your zone to Cloudflare .
To add your zone using the API, refer to the Create Zone endpoint .
Review the records found by the automatic scan or import your zone file .
To import the zone file using the API, refer to the Import DNS Records endpoint .
Go to DNS > Settings , and select Enable DNSSEC . Or use the following API request .
https://api.cloudflare.com/client/v4/zones/{ zone_id}/dnssec \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"status": "active"}'
Go to DNS > Settings , and enable Multi-signer DNSSEC . Or use the following API request .
https://api.cloudflare.com/client/v4/zones/{ zone_id}/dnssec \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"dnssec_multi_signer": true}'
Add the ZSK ↗ of your previous provider to Cloudflare by creating a DNSKEY record on your zone.
You can do this on the dashboard or through the Create DNS Record endpoint , as in the following example.
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
"public_key": "<PUBLIC_KEY>"
Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
API example:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"
Command line query example:
dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256
Add Cloudflare's ZSK that you fetched in the last step to your previous provider.
Note
You can check if both providers are responding with both ZSKs by running one dig
command for each, as in the following example. You can also use Dig Web Interface ↗ .
dig <ZONE_NAME> dnskey @<PREVIOUS_PROVIDER_NAMESERVER> +noall +answer
dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer
Both queries should return both ZSKs (identified with tag 256
).
Example
dig multisigner.info dnskey @dns1.p01.nsone.net. +noall +answer
multisigner.info. 3600 IN DNSKEY 257 3 13 t+4D<bla_bla_bla>JBmA==
multisigner.info. 3600 IN DNSKEY 256 3 13 pxEU<bla_bla_bla>0xOg==
multisigner.info. 3600 IN DNSKEY 256 3 13 oJM<bla_bla_bla>XhSA==
dig multisigner.info dnskey @ashley.ns.cloudflare.com +noall +answer
multisigner.info. 3600 IN DNSKEY 257 3 13 mdss<bla_bla_bla>eKGQ==
multisigner.info. 3600 IN DNSKEY 256 3 13 oJM<bla_bla_bla>XhSA==
multisigner.info. 3600 IN DNSKEY 256 3 13 pxEU<bla_bla_bla>0xOg==
Add Cloudflare DS record to your registrar. You can see your Cloudflare DS record on the dashboard ↗ by going to DNS > Settings > DS Record .
Add Cloudflare assigned nameservers to your registrar. You can see your Cloudflare nameservers by going to DNS > Records .
At this point your zone is in a multi-signer DNSSEC setup .
4. Remove previous provider
Remove your previous provider's DS record from your registrar.
Remove your previous provider's nameservers from your registrar.
After waiting at least one and a half times the TTL ↗ of your previous provider DS record, you can remove the DNSKEY record (containing your previous provider ZSK) that you added to your Cloudflare zone in step 2 .
Note
You can find out the TTL of your previous provider DS record by running a dig
command, as in the following example, or by using this Dig Web Interface link ↗ .
dig multisigner.info ds +noall +answer
multisigner.info. 3600 IN DS 2371 13 2 227B4C7FF3E1D49D59BAF39BDA54CA0839DE700DD9896076AA3E6AD7 19A0CF55
multisigner.info. 3600 IN DS 48553 13 2 893709B51A9C53D011A4054B15FC5454BEDF68E739BB3B3FA1E333DA 7B8DACFE
In this example, both DS records have a TTL of 3600
seconds. Cloudflare's DS record always has the key tag set to 2371
, so the second line of the response is the DS record of the other provider.
Thank you for helping improve Cloudflare's documentation!