Cloudflare Docs
Visit DNS on GitHub
Set theme to dark (⇧+D)

DNSSEC for incoming zone transfers

DNS Security Extensions (DNSSEC) increase security by adding cryptographic signatures to DNS records. When you use multiple providers and Cloudflare is secondary, you have a few options to enable DNSSEC for records served by Cloudflare.

​​ Set up multi-signer DNSSEC

Refer to Set up multi-signer DNSSEC and follow the instructions, considering the note about Cloudflare as Secondary.

​​ Enable DNSSEC for hidden primary setup

If you use Cloudflare secondary nameservers as the only nameservers authoritatively responding to DNS queries, you can enable DNSSEC for your zone by setting a status of active through the Edit DNSSEC Status endpoint.

In this setup, DNSSEC on your pirmary DNS provider does not need to be enabled.

​​ Set up DNSSEC for pre-signed zones

​​ Prerequisites

  • Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly.
  • Your primary DNS provider supports DNSSEC using NSEC records (and not NSEC3).
  • Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC.

​​ Steps

  1. Enable DNSSEC at your primary DNS provider.
  2. Use the Edit DNSSEC Status endpoint to enable pre-signed DNSSEC on your Cloudflare secondary zone.

curl --request PATCH{zone_id}/dnssec \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>' \
--header 'Content-Type: application/json' \
--data '{
  1. Make sure Cloudflare nameservers are added at your registrar. You can see your Cloudflare nameservers on the dashboard by going to DNS > Records.

  2. Make sure there is a DS record added at your registrar. The DS record is obtained from your primary DNS provider (the signer of the zone). The DS record communicates to resolvers that a zone has DNSSEC enabled.