diff --git a/src/content/docs/dns/additional-options/reverse-zones.mdx b/src/content/docs/dns/additional-options/reverse-zones.mdx index 89d220f1f8aaa7..29ee8f5cbf76fc 100644 --- a/src/content/docs/dns/additional-options/reverse-zones.mdx +++ b/src/content/docs/dns/additional-options/reverse-zones.mdx @@ -32,7 +32,7 @@ If your account does not meet these qualifications and you do not own the IP pre To set up a reverse zone, you need to create a reverse DNS zone and add PTR records for forward resolution. -### Step 1 - Create a reverse DNS zone +### 1. Create a reverse DNS zone 1. Within your account, click **Add site**. @@ -55,7 +55,7 @@ To set up a reverse zone, you need to create a reverse DNS zone and add PTR reco * For IPv6, consider the following examples: - + * **IPv6 prefix**: `2001:DB8::0/32` * **Reverse zone**: `8.b.d.0.1.0.0.2.ip6.arpa` @@ -69,7 +69,7 @@ To set up a reverse zone, you need to create a reverse DNS zone and add PTR reco 4. Skip the rest of the onboarding process. -### Step 2 - Add PTR records +### 2. Add PTR records 1. Go to **DNS** > **Records**. diff --git a/src/content/docs/dns/dnssec/index.mdx b/src/content/docs/dns/dnssec/index.mdx index 3eee21a355a27a..117ca005f7c1dc 100644 --- a/src/content/docs/dns/dnssec/index.mdx +++ b/src/content/docs/dns/dnssec/index.mdx @@ -24,11 +24,11 @@ import { Render } from "~/components" When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys, and generates your **DS** record. -### Step 1 - Activate DNSSEC in Cloudflare +### 1. Activate DNSSEC in Cloudflare -### Step 2 - Add DS record to your registrar +### 2. Add DS record to your registrar diff --git a/src/content/docs/dns/manage-dns-records/how-to/subdomains-outside-cloudflare.mdx b/src/content/docs/dns/manage-dns-records/how-to/subdomains-outside-cloudflare.mdx index afd7ae2af09ef8..40111920bdd952 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/subdomains-outside-cloudflare.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/subdomains-outside-cloudflare.mdx @@ -41,4 +41,4 @@ To delegate a subdomain such as *internal.example.com*, tell DNS resolvers wher :::note The `A` records for the subdomain are only required as glue records for nameservers that are located in the subdomain of the current zone that is being delegated. ::: -5. (Optional) If the delegated nameserver has DNSSEC enabled, [add the `DS` record](/dns/dnssec/#step-1---activate-dnssec-in-cloudflare) in Cloudflare. +5. (Optional) If the delegated nameserver has DNSSEC enabled, [add the `DS` record](/dns/dnssec/#1-activate-dnssec-in-cloudflare) in Cloudflare. diff --git a/src/content/docs/dns/zone-setups/partial-setup/convert-partial-to-full.mdx b/src/content/docs/dns/zone-setups/partial-setup/convert-partial-to-full.mdx index 521db75bbbbe2b..1d1be620b0cdbe 100644 --- a/src/content/docs/dns/zone-setups/partial-setup/convert-partial-to-full.mdx +++ b/src/content/docs/dns/zone-setups/partial-setup/convert-partial-to-full.mdx @@ -11,7 +11,7 @@ head: If you initially set up a partial domain on Cloudflare, you can later migrate it to a [full setup](/dns/zone-setups/full-setup/). -## Step 1 — Prepare Cloudflare SSL/TLS +## 1. Prepare Cloudflare SSL/TLS In the Cloudflare dashboard, either order an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) or [upload a custom SSL certificate](/ssl/edge-certificates/custom-certificates/uploading/) for your website or application. @@ -30,7 +30,7 @@ It is possible to use [Universal SSL](/ssl/edge-certificates/universal-ssl/) ins ::: -## Step 2 — Update settings in authoritative DNS +## 2. Update settings in authoritative DNS At least 24 hours prior to converting your zone, disable DNSSEC at your authoritative DNS provider. @@ -42,7 +42,7 @@ As a best practice, you should also delete the previous [zone activation TXT rec ::: -## Step 3 — Convert to full setup +## 3. Convert to full setup In the Cloudflare dashboard: @@ -50,7 +50,7 @@ In the Cloudflare dashboard: 2. Select **Convert to Primary DNS** (this will not affect how your traffic is proxied). 3. Import your records into Cloudflare DNS and verify that they have been configured correctly. Usually, you will want to import [unproxied records](/dns/manage-dns-records/reference/proxied-dns-records/). -## Step 4 — Activate full setup +## 4. Activate full setup Get your assigned Cloudflare nameservers from **DNS** > **Records** and [update your nameservers](/dns/nameservers/update-nameservers/) at your registrar. diff --git a/src/content/docs/dns/zone-setups/troubleshooting/cannot-add-domain.mdx b/src/content/docs/dns/zone-setups/troubleshooting/cannot-add-domain.mdx index fc85db25c329d1..94013e9aeaa5d3 100644 --- a/src/content/docs/dns/zone-setups/troubleshooting/cannot-add-domain.mdx +++ b/src/content/docs/dns/zone-setups/troubleshooting/cannot-add-domain.mdx @@ -9,7 +9,7 @@ head: If you encounter issues [adding a domain](/fundamentals/setup/manage-domains/add-site/) to Cloudflare, follow these troubleshooting steps. -## Step 1 - Disable DNSSEC +## 1. Disable DNSSEC Cloudflare cannot provide authoritative DNS resolution for a domain — a [full setup domain](/dns/zone-setups/full-setup/) — when **DNSSEC** is enabled at your domain registrar. @@ -23,7 +23,7 @@ If you experience these issues, refer to [Configuring DNSSEC](/dns/dnssec) and [ --- -## Step 2 - Register the domain +## 2. Register the domain If the issue is with your registrar, you may receive the following error messages: @@ -39,7 +39,7 @@ If you receive these error messages, make sure that: --- -## Step 3 - Resolve DNS for apex domain +## 3. Resolve DNS for apex domain Before a domain can be added to Cloudflare, the domain must return `NS` records for valid, working nameservers. `NS` records can be checked via third-party online tools such as [https://www.whatsmydns.net](https://www.whatsmydns.net/) or via a command-line terminal using a dig command: @@ -69,7 +69,7 @@ ns3.cloudflare.com. dns.cloudflare.com. 2029202248 10000 2400 604800 300 --- -## Step 4 - Check if the domain is restricted at Cloudflare +## 4. Check if the domain is restricted at Cloudflare If Cloudflare has temporary or permanent restrictions on a domain, you will receive the following errors: diff --git a/src/content/docs/dns/zone-setups/zone-transfers/access-control-lists/create-new-list.mdx b/src/content/docs/dns/zone-setups/zone-transfers/access-control-lists/create-new-list.mdx index ff6aad6d5626e1..5e57274628d51b 100644 --- a/src/content/docs/dns/zone-setups/zone-transfers/access-control-lists/create-new-list.mdx +++ b/src/content/docs/dns/zone-setups/zone-transfers/access-control-lists/create-new-list.mdx @@ -10,10 +10,7 @@ head: import { TabItem, Tabs } from "~/components"; -You need to create an Access Control List (ACL) in certain situations: - -- If Cloudflare is your [primary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-primary/), create an ACL to specify additional IPs Cloudflare should accept zone transfer requests from. -- If Cloudflare is your [secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), create an ACL to specify additional NOTIFY IPs that Cloudflare should listen to. +You need to create an Access Control List (ACL) if Cloudflare is your [secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/). The ACL will specify additional NOTIFY IPs that Cloudflare should listen to. An ACL is configured at the account level, which means that it will apply to every primary and secondary zone in your account. diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx index a4aacb9a96d480..add064c80c8c37 100644 --- a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx +++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx @@ -39,7 +39,7 @@ If using the API, you may also want to [locate your Zone and Account IDs](/funda --- -## Step 1 - Create TSIG (optional) +## 1. Create TSIG (optional) @@ -53,7 +53,7 @@ If using the API, you may also want to [locate your Zone and Account IDs](/funda -## Step 2 - Create Peer DNS Server (optional) +## 2. Create Peer DNS Server (optional) You only need to create a peer DNS server if you want: @@ -72,7 +72,7 @@ To create a peer using the dashboard: - **IP**: If configured, specifies where Cloudflare sends NOTIFY requests to. - **Port**: Specifies the IP Port for the NOTIFY IP. - **Enable incremental (IXFR) zone transfers**: Does not apply when you are using Cloudflare as your primary DNS provider (Cloudflare zones always accept IXFR requests). - - **Link an existing TSIG**: If desired, link the TSIG you [previously created](#step-1---create-tsig-optional). + - **Link an existing TSIG**: If desired, link the TSIG you [previously created](#1-create-tsig-optional). 6. Select **Create**. @@ -81,13 +81,13 @@ To create a peer DNS server using the API, send a [POST]( -## Step 3 - Link peer to primary zone (optional) +## 3. Link peer to primary zone (optional) -If you previously [created a peer DNS server](#step-2---create-peer-dns-server-optional), you should link it to your primary zone. +If you previously [created a peer DNS server](#2-create-peer-dns-server-optional), you should link it to your primary zone. -To create a secondary zone using the dashboard: +To link a primary zone to a peer using the dashboard: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login). 2. Select your account and zone. @@ -98,23 +98,21 @@ To create a secondary zone using the dashboard: -To link a primary zone to a peer using the API, send a [POST]() request with the ID of the peer you [previously created](#step-2---create-peer-dns-server-optional). +To link a primary zone to a peer using the API, send a [POST]() request with the ID of the peer you [previously created](#2-create-peer-dns-server-optional). -## Step 4 - Create an ACL +:::caution[Multiple peers and TSIG] +If you link more than one peer to a zone and at least one of them has TSIG configured, all peers are expected to also use the same TSIG. +::: -When you create an Access Control List (ACL), that list contains the source IP addresses that are allowed to send zone transfer requests. If you do not configure an ACL, your zone transfers will fail from IP addresses other than the one specified in the peer DNS server linked to your primary zone on Cloudflare. +## 4. Update your secondary DNS provider -For more details, refer to [create an ACL](/dns/zone-setups/zone-transfers/access-control-lists/create-new-list/). - -## Step 5 - Update your secondary DNS provider - -Your secondary DNS provider should send zone transfer requests (via AXFR or IXFR) to [this IP](/dns/zone-setups/zone-transfers/access-control-lists/cloudflare-ip-addresses/#transfer-ip) on port 53 and from the IP address specified in your [peer configuration](#step-2---create-peer-dns-server-optional). +Your secondary DNS provider should send zone transfer requests (via AXFR or IXFR) to [this IP](/dns/zone-setups/zone-transfers/access-control-lists/cloudflare-ip-addresses/#transfer-ip) on port 53 and from the IP address specified in your [peer configuration](#2-create-peer-dns-server-optional). It should also have updated [Access Control Lists (ACLs)](/dns/zone-setups/zone-transfers/access-control-lists/cloudflare-ip-addresses/#allow-range) to prevent NOTIFY messages sent from Cloudflare IP ranges from being blocked. -## Step 6 - Add secondary nameservers within Cloudflare +## 5. Add secondary nameservers within Cloudflare Using the information from your secondary DNS provider, [create `NS` records](/dns/manage-dns-records/how-to/create-dns-records/#create-dns-records) on your zone apex listing your secondary nameservers. @@ -142,7 +140,7 @@ curl --request PATCH \ -## Step 7 - Enable outgoing zone transfers +## 6. Enable outgoing zone transfers When you enable outgoing zone transfers, this will send a DNS NOTIFY message to your secondary DNS provider. @@ -159,6 +157,6 @@ To enable outgoing zone transfers using the API, send a [POST]( -## Step 8 - Add secondary nameservers to registrar +## 7. Add secondary nameservers to registrar At your registrar, add the nameservers of your secondary DNS provider. diff --git a/src/content/partials/dns/tsig-create-dash.mdx b/src/content/partials/dns/tsig-create-dash.mdx index 9046a6e5eba204..7cf7c9593cdcb4 100644 --- a/src/content/partials/dns/tsig-create-dash.mdx +++ b/src/content/partials/dns/tsig-create-dash.mdx @@ -7,10 +7,10 @@ To create a TSIG using the dashboard: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. 2. Go to **Manage Account** > **Configurations**. -3. Click **DNS Zone Transfers**. -4. For **TSIG**, click **Create**. +3. Select **DNS Zone Transfers**. +4. For **TSIG**, select **Create**. 5. Enter the following information: * **TSIG name**: The name of the TSIG object using domain name syntax (more details in [RFC 8945 section 4.2](https://datatracker.ietf.org/doc/html/rfc8945#section-4.2)). * **Secret (optional)**: Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret. * **Algorithm**: Choose a TSIG signing algorithm. -6. Click **Create**. +6. Select **Create**.