With outgoing zone transfers, you keep Cloudflare as your primary DNS provider and use one or more secondary providers for increased availability and fault tolerance.
If you want to use DNSSEC with outgoing zone transfers, you should configure multi-signer DNSSEC. After setting up Cloudflare as primary, follow the steps below to enable DNSSEC.
Before you begin
Note that:
This process requires that your other DNS provider(s) also support multi-signer DNSSEC.
Although you can complete a few steps via the dashboard, currently the whole process can only be completed using the API.
Enabling DNSSEC and Multi-signer DNSSEC in DNS > Settings ↗ only replaces the first step below. You still have to follow the rest of this tutorial to complete the setup.
Steps
Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. This is done by setting status to active and dnssec_multi_signer to true, as in the following example.
Add the ZSK(s) of your external provider(s) to Cloudflare by creating a DNSKEY record on your zone.
Once the DNSKEY record is transferred out from Cloudflare to your secondary provider, get Cloudflare's ZSK and manually add it to the DNSKEY record.
Currently, the ZSK is not automatically transferred out. You can use either the API or a query from one of the assigned Cloudflare nameservers to obtain it.
API example:
Command line query example:
Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the dashboard ↗ by going to DNS > Settings > DS Record.
The nameserver settings at your registrar should include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.
Was this helpful?
What did you like?
What went wrong?
Thank you for helping improve Cloudflare's documentation!