diff --git a/src/content/docs/dns/additional-options/dns-zone-defaults.mdx b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx
new file mode 100644
index 000000000000000..ab41eb6128202a7
--- /dev/null
+++ b/src/content/docs/dns/additional-options/dns-zone-defaults.mdx
@@ -0,0 +1,38 @@
+---
+pcx_content_type: how-to
+title: Zone defaults
+sidebar:
+ order: 3
+---
+
+# Configure DNS zone defaults
+
+While there are default values for DNS settings that Cloudflare applies to all new zones, Enterprise accounts have the option to configure their own DNS zone defaults according to their preference.
+
+:::caution
+DNS zone defaults are only applied at the moment a new zone is created and will not impact already existing zones. Any of the values specified as default can later be adjusted within each zone, on the respective [**DNS** > **Settings**](https://dash.cloudflare.com/?to=/:account/:zone/dns/settings) or [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) page.
+:::
+
+## Steps
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account.
+2. Go to **Manage Account** > **Configurations** > **DNS Settings**.
+3. For **DNS zone defaults**, select **Configure defaults**.
+
+The values you select for the listed settings will be automatically applied to new zones as you add them to your Cloudflare account.
+
+## Available settings
+
+- [Nameserver assignment](/dns/nameservers/nameserver-options/#assignment-method): Select your preferred nameserver type or assignment method that you want Cloudflare to use for your new zones. This setting applies both to primary zones ([full setup](/dns/zone-setups/full-setup/)) and [secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/).
+
+For primary zones:
+
+- [Multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): Control whether or not Cloudflare will consider `NS` records you add on the zone apex and if zones that contain external nameservers listed in the registrar will be activated.
+- [Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl): Control how long, in seconds, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/).
+- [SOA record](/dns/manage-dns-records/reference/dns-record-types/#soa): Adjust values for the start of authority (SOA) record that Cloudflare creates for your zone.
+
+For secondary zones:
+
+- [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/): Enable the options to use Cloudflare [proxy](/dns/manage-dns-records/reference/proxied-dns-records/) and add `CNAME` records at your zone apex.
+
+ Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare.
\ No newline at end of file
diff --git a/src/content/docs/dns/additional-options/reverse-zones.mdx b/src/content/docs/dns/additional-options/reverse-zones.mdx
index 29ee8f5cbf76fcc..5a43c998a655a0d 100644
--- a/src/content/docs/dns/additional-options/reverse-zones.mdx
+++ b/src/content/docs/dns/additional-options/reverse-zones.mdx
@@ -1,8 +1,8 @@
---
pcx_content_type: how-to
title: Reverse zones and PTR records
-weight: 0
-
+sidebar:
+ order: 5
---
import { Details, Example } from "~/components"
diff --git a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx
index 5992a27ef72a30d..77ab9187a4575b1 100644
--- a/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx
+++ b/src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx
@@ -1,14 +1,14 @@
---
pcx_content_type: how-to
-title: Setup
+title: Set up multi-signer DNSSEC
sidebar:
order: 5
-head:
- - tag: title
- content: Set up multi-signer DNSSEC
+ label: Setup
---
-This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).
+import { Tabs, TabItem } from "~/components";
+
+This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/about/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/#model-2) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).
## Before you begin
@@ -20,12 +20,29 @@ Note that:
## 1. Set up Cloudflare zone
-:::note
+### Cloudflare as Primary (full setup)
+
+If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following:
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone.
+2. Go to **DNS** > **Settings**.
+3. Select **Enable DNSSEC** and **Confirm**.
-The following steps also apply if you use [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), with the difference that, in such case, the records in steps 2 and 3 should be transferred from the primary, and step 4 is not necessary.
+:::note
+For the purpose of this tutorial, you will update your registrar with the DS record later, in [Step 3](/dns/dnssec/multi-signer-dnssec/setup/#3-set-up-registrar).
:::
-1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. This is done by setting `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example.
+4. Also enable **Multi-signer DNSSEC** and **Multi-provider DNS**.
+5. Go to **DNS** > **Records** and create the following records at your zone apex (meaning you should use `@` in the record **Name** field):
+ - A [DNSKEY record](/dns/manage-dns-records/reference/dns-record-types/#ds-and-dnskey) with the zone signing key(s) (ZSKs) of your external provider(s).
+ - A [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) with your external provider nameservers.
+
+
+
+
+1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example.
```bash
curl --request PATCH \
@@ -74,27 +91,68 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
}'
```
-4. Enable the usage of the nameservers you added in the previous step by using the API request below. Alternatively, go to [**DNS** > **Settings**](https://dash.cloudflare.com/?to=/:account/:zone/dns/settings) and enable **Multi-provider DNS**.
+4. Enable the usage of the nameservers you added in the previous step by using the API request below.
:::caution
+This step is required. Without turning on this setting, Cloudflare will ignore any `NS` records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting `NS` records will only contain Cloudflare nameservers.
+:::
+
+```bash
+curl --request PATCH \
+"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \
+--header "X-Auth-Email: " \
+--header "X-Auth-Key: " \
+--header "Content-Type: application/json" \
+--data '{
+ "multi_provider": true
+}'
+```
+
+
+
+
+### Cloudflare as Secondary
-This step is required if you are using Cloudflare as a primary DNS provider - without enabling this setting, Cloudflare will ignore any `NS` records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting `NS` records will only contain Cloudflare nameservers.
+If you use Cloudflare as a secondary DNS provider, do the following:
-If you are using [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), this step is not necessary.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone.
+2. Go to **DNS** > **Settings**.
+3. For **DNSSEC with Secondary DNS** select **Live signing**.
+
+:::note
+For the purpose of this tutorial, you will update your registrar with the DS record later, in [Step 3](/dns/dnssec/multi-signer-dnssec/setup/#3-set-up-registrar).
:::
+4. Also enable **Multi-signer DNSSEC**.
+5. Add the zone signing key(s) (ZSKs) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
+6. Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
+
+
+
+
+1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example.
+
```bash
-curl --request PATCH \
-"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \
+$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \
--header "X-Auth-Email: " \
--header "X-Auth-Key: " \
--header "Content-Type: application/json" \
--data '{
- "multi_provider": true
+ "status": "active",
+ "dnssec_multi_signer": true
}'
```
+2. Add the ZSK(s) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
+
+3. Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
+
+
+
+
## 2. Set up external provider
1. Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
@@ -110,7 +168,7 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk" \
Command line query example:
```sh
-dig dnskey @ +noall +answer | grep 256
+$ dig dnskey @ +noall +answer | grep 256
```
2. Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
@@ -120,4 +178,4 @@ dig dnskey @ +noall +answer | grep 256
1. Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/dns) by going to **DNS** > **Settings** > **DS Record**.
-2. Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.
+2. Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.
\ No newline at end of file
diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx
index 64c86646c37ed22..18d9dca401a360d 100644
--- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx
+++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx
@@ -6,7 +6,7 @@ sidebar:
---
-import { Render } from "~/components"
+import { Details, Render } from "~/components"
This page provides information about some of the different types of DNS records that you can manage on Cloudflare. For guidance on how to add, edit, or delete DNS records, refer to [Manage DNS records](/dns/manage-dns-records/how-to/create-dns-records/).
@@ -318,20 +318,73 @@ Within Cloudflare, PTR records are used for reverse DNS lookups and should prefe
### SOA
-A [start of authority (SOA)](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) record stores information about your domain such as admin email address, when the domain was last updated, and more.
+A start of authority (SOA) record stores information about your domain such as admin email address, when the domain was last updated, and more. Refer to [What is a DNS SOA record](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) for an example.
If you are using Cloudflare for your [authoritative DNS](/dns/zone-setups/full-setup/), you do not need to create an SOA record. Cloudflare creates this record automatically when you start using Cloudflare's authoritative nameservers.
-
+If you have an Enterprise account, you also have the option to change the SOA record values that Cloudflare will use.
+You can do that for existing zones by going to **DNS** > **Records** > **DNS record options**, or you can configure your own [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and define the SOA record values that Cloudflare will use for all new zones added to your account.
+
+Refer to the following list for information about each SOA record field:
+
+
+
+* **`MNAME`**: The primary nameserver for the zone. Secondary nameservers receive zone updates from the nameserver specified in this field.
+* **`RNAME`**: The email address of the administrator responsible for the zone.
+
+ The `@` symbol is replaced by the first dot. If an email address contains a dot before `@`, this should be represented as `\.`.
+
+ | Email | `RNAME` |
+ |---------------------------|-------------------------|
+ |`john@example.com` | `john.example.com` |
+ |`john.doe@example.com` | `john\.doe.example.com` |
+
+* **`Serial`**: The serial number for the zone. Secondary nameservers initiate zone transfers if this number increases.
+* **`Refresh`**: Time (in seconds) after which a secondary nameserver should query the primary for the `SOA` record, to detect zone changes. Only relevant if DNS NOTIFY ([RFC 1996](https://www.rfc-editor.org/rfc/rfc1996.html)) is not configured.
+
+ | Default | Minimum | Maximum |
+ |--------------|------------|----------|
+ |`10000` | `600` | `86400` |
+
+* **`Retry`**: Time (in seconds) after which a secondary nameserver should retry getting the serial number from the primary nameserver after a failed attempt. Any specified values must not be greater than `Refresh`.
+
+ | Default | Minimum | Maximum |
+ |--------------|------------|----------|
+ |`2400` | `600` | `3600` |
+
+* **`Expire`**: Time (in seconds) after which a secondary nameserver should stop answering queries for a zone if the primary does not respond. Any specified values must not be smaller than `Refresh`.
+
+ | Default | Minimum | Maximum |
+ |--------------|------------|-----------|
+ |`604800` | `86400` | `2419200` |
+
+* **`Record TTL`**: The [time to live](/dns/manage-dns-records/reference/ttl/) of the SOA record.
+
+ | Default | Minimum | Maximum |
+ |--------------|------------|----------|
+ |`3600` | `1800` | `3600` |
+
+* **`Minimum TTL`**: The TTL for caching negative responses. Refer to [RFC 2308](https://www.rfc-editor.org/rfc/rfc2308.html#section-4) for details.
+
+ | Default | Minimum | Maximum |
+ |--------------|------------|----------|
+ |`1800` | `60` | `86400` |
+
+
+
### NS
A [nameserver (NS) record](https://www.cloudflare.com/learning/dns/dns-records/dns-ns-record/) indicates which server should be used for authoritative DNS.
-You only need to add NS records when you are [creating custom or vanity nameservers](/dns/nameservers/custom-nameservers/), using [subdomain setup](/dns/zone-setups/subdomain-setup/), or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/).
+You only need to add NS records to your DNS records table in Cloudflare when you are using [subdomain setup](/dns/zone-setups/subdomain-setup/) or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/).
+:::note
+Your assigned Cloudflare nameservers, custom nameservers, and their corresponding [nameserver TTLs](/dns/nameservers/nameserver-options/#nameserver-ttl) are controlled via dedicated sections in [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records). For details, refer to [Nameservers](/dns/nameservers/).
+:::
+
### DS and DNSKEY
[DS and DNSKEY](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) records help implement DNSSEC, which cryptographically signs DNS records to prevent domain spoofing.
diff --git a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx
index 9f2336e380d6bfd..c964f025023f0c3 100644
--- a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx
+++ b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx
@@ -27,3 +27,7 @@ It may take longer than 5 minutes for you to actually experience record changes,
## Unproxied records
For **DNS only** records, you can choose a TTL between **30 seconds** (Enterprise) or **60 seconds** (non-Enterprise) and **1 day**.
+
+## Nameserver TTL
+
+[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers and custom nameservers. For other [NS records](/dns/manage-dns-records/reference/dns-record-types/#ns) on your DNS records table, TTL is controlled by their respective TTL fields.
\ No newline at end of file
diff --git a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx
index 7f86c62d5932f7d..3b5e989ac0bd28a 100644
--- a/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx
+++ b/src/content/docs/dns/nameservers/custom-nameservers/account-custom-nameservers.mdx
@@ -10,10 +10,9 @@ head:
description: With account-level custom nameservers, you can use the same custom
nameservers for different zones in the account. The domain or domains that
provide the nameservers names do not have to exist as zones in Cloudflare.
-
---
-import { Example, Render } from "~/components"
+import { Example, Render, Tabs, TabItem } from "~/components"
@@ -25,15 +24,33 @@ For this configuration to be possible, a few conditions apply:
+* Choosing a set from `ns_set 1` through `ns_set 5` will influence how Cloudflare assigns nameservers to your new zones if you configure [DNS zone defaults](/dns/nameservers/nameserver-options/#dns-zone-defaults).
+
## Enable account custom nameservers
### 1. Set up ACNS names and sets
-1. Use the [Add account custom nameserver endpoint](/api/operations/account-level-custom-nameservers-add-account-custom-nameserver) to create account custom nameservers. Follow the [conditions](#configuration-conditions) for `ns_name` and `ns_set`.
+1. Create ACNS names and sets:
+
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
+2. Go to **Manage Account** > **Configurations** > **DNS Settings**.
+3. For **Account custom nameservers**, select **Configure custom nameservers**.
+4. Insert a fully qualified domain name for **Nameserver name** and choose a **Nameserver set**. Follow the [configuration conditions](#configuration-conditions).
+
+
+
+
+Use the [Add account custom nameserver endpoint](/api/operations/account-level-custom-nameservers-add-account-custom-nameserver) to create account custom nameservers. Follow the [conditions](#configuration-conditions) for `ns_name` and `ns_set`.
-Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name.
+
+
+
+Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name, and these nameservers will be listed as options that you can [use on existing zones](#2-use-acns-on-existing-zones) or [set up as default for new zones in the account](#3-optional-make-acns-default-for-new-zones).
2. Make sure `A/AAAA` records with the assigned IPv4 and IPv6 exist at the authoritative DNS of the domain that provides the ACNS names.
@@ -53,20 +70,53 @@ Cloudflare will assign an IPv4 and an IPv6 address to each ACNS name.
* If you are using Cloudflare Registrar for the domain that provides the ACNS names, [contact Cloudflare Support](/support/contacting-cloudflare-support/) to add the account custom nameservers and IP addresses as glue records to the domain.
- * If you are not using Cloudflare Registrar for the domain that provides the ACNS names, add the account custom nameservers and IP addresses to your domain's registrar as [glue records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3). If you do not add these records, DNS lookups for your domain will fail.
+ * If you are not using Cloudflare Registrar for the domain that provides the ACNS names, add the account custom nameservers and IP addresses to your domain's registrar as glue records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)). If you do not add these records, DNS lookups for your domain will fail.
### 2. Use ACNS on existing zones
-1. Choose an ACNS set as custom nameservers for a zone. Use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) for each zone.
+1. Choose an ACNS set as custom nameservers for a zone:
+
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone.
+2. Go to **DNS** > **Records**.
+3. For **Custom nameservers**, select **Configure**.
+4. Select **Use your account custom nameservers** and choose a nameserver set from the list.
+5. Select **Save** to confirm.
+
+
+
+
+Use the endpoint [Update DNS Settings for a Zone](/api/operations/dns-settings-for-a-zone-update-dns-settings) and configure the `nameservers` object accordingly for each zone.
+
+
+
2. Make sure the nameservers are updated:
- * If your domain uses [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to update your nameservers.
- * If your domain uses a different registrar or if it has been delegated to a parent domain, manually update your nameservers. Refer to [Update nameservers](/dns/nameservers/update-nameservers/) for detailed guidance.
+ * If your domain uses [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to update your nameservers.
+ * If your domain uses a different registrar, update the nameservers at your registrar to use the account custom nameservers.
+ * If your zone is delegated to a parent zone, update the corresponding `NS` record at the parent zone.
### 3. (Optional) Make ACNS default for new zones
-To make these ACNS the default nameservers for all new zones added to your account from now on, use the endpoint [Update DNS Settings for an Account](/api/operations/dns-settings-for-an-account-update-dns-settings). Within the `zone_defaults` object, set the following:
+To make ACNS the default option for all new zones added to your account from now on:
+
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
+2. Go to **Manage Account** > **Configurations**.
+3. For **DNS zone defaults**, select **Configure defaults**.
+4. Change the **Nameserver assignment method** to **Account custom nameservers**.
+
+Refer to [DNS zone defaults](/dns/nameservers/nameserver-options/#dns-zone-defaults) for details.
+
+
+
+
+Use the endpoint [Update DNS Settings for an Account](/api/operations/dns-settings-for-an-account-update-dns-settings). Within the `zone_defaults` object, set the following:
```txt
"zone_defaults": {
@@ -76,21 +126,45 @@ To make these ACNS the default nameservers for all new zones added to your accou
}
```
+
+
+
## Disable account custom nameservers
### 1. Remove ACNS assignment from zones
To remove ACNS from a zone, first update your nameservers to stop using ACNS:
-* If you are using [Cloudflare Registrar](/registrar/), use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to change the `enabled` parameter to `false`, and then [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare-branded nameservers.
-* If you are not using [Cloudflare Registrar](/registrar/), modify the domain's registrar to use your regular Cloudflare-branded nameservers and then use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to set the `enabled` parameter to `false`.
+
+
-### 2. Delete ACNS names or sets
+* If you are using [Cloudflare Registrar](/registrar/), [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare branded nameservers.
+* If you are not using [Cloudflare Registrar](/registrar/), modify the domain's registrar to use your regular Cloudflare branded nameservers.
+
+
+
-:::caution
+* If you are using [Cloudflare Registrar](/registrar/), use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to change the `enabled` parameter to `false`, and then [contact Cloudflare Support](/support/contacting-cloudflare-support/) to set your nameservers back to the regular Cloudflare branded nameservers.
+* If you are not using [Cloudflare Registrar](/registrar/), modify the domain's registrar to use your regular Cloudflare branded nameservers and then use the [Set ACNS Related Zone Metadata endpoint](/api/operations/account-level-custom-nameservers-usage-for-a-zone-set-account-custom-nameserver-related-zone-metadata) to set the `enabled` parameter to `false`.
+
+
+
+
+### 2. Delete ACNS names or sets
Following the [configuration conditions](#configuration-conditions), each set must have between two and five different nameserver names. When you delete all names or leave a set with only one nameserver name, the set will no longer be listed as an option for the zones in your account.
-:::
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
+2. Go to **Manage Account** > **Configurations** > **DNS Settings**.
+3. For **Account custom nameservers**, select **Delete** next to the ACNS name.
+
+
+
Use the [Delete account custom nameserver endpoint](/api/operations/account-level-custom-nameservers-delete-account-custom-nameserver) to delete a specific ACNS.
+
+
+
\ No newline at end of file
diff --git a/src/content/docs/dns/nameservers/custom-nameservers/index.mdx b/src/content/docs/dns/nameservers/custom-nameservers/index.mdx
index b8e133ea7b43433..87f0369a1406954 100644
--- a/src/content/docs/dns/nameservers/custom-nameservers/index.mdx
+++ b/src/content/docs/dns/nameservers/custom-nameservers/index.mdx
@@ -19,7 +19,7 @@ To use custom nameservers, a zone must be using Cloudflare as [Primary (Full set
## Availability
* Zone custom nameservers are available for zones on Business or Enterprise plans. Via API or on the dashboard.
-* Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API only.
+* Account custom nameservers are available for customers on Business (after [contacting Cloudflare Support](/support/contacting-cloudflare-support/)) or Enterprise plans. Once configured, account custom nameservers can be used by all zones in the account, regardless of the zone plan. Via API or on the dashboard.
* Tenant custom nameservers, if created by the tenant owner, will be available to all zones belonging to any account that is part of the tenant. Via API only.
## Restrictions
diff --git a/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx
index 97d7bca56883287..76f9a347e845928 100644
--- a/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx
+++ b/src/content/docs/dns/nameservers/custom-nameservers/tenant-custom-nameservers.mdx
@@ -91,7 +91,7 @@ curl https://api.cloudflare.com/client/v4/tenants/{tenant_id}/custom_ns \
-2. Add the account custom nameservers and IP addresses to your domain's registrar as [glue (A and AAAA) records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3)
+2. Add the account custom nameservers and IP addresses to your domain's registrar as glue (A and AAAA) records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)).
3. If the domain or domains that are used for the tenant custom nameservers do not exist within the same account, you must create the `A/AAAA` records on the configured nameserver names (for example, `ns1.example.com`) at the authoritative DNS provider.
diff --git a/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx b/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx
index eac06f9b0c72414..107479c00573638 100644
--- a/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx
+++ b/src/content/docs/dns/nameservers/custom-nameservers/zone-custom-nameservers.mdx
@@ -28,7 +28,9 @@ To create zone custom nameservers:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone.
2. Go to **DNS** > **Records**.
-3. On **Custom Nameservers**, click **Add Custom Nameservers** and enter the subdomains used for the ZCNS names (for example, `ns1`, `ns2`, `ns3`).
+3. On **Custom nameservers**, select **Configure**.
+4. Select **Create custom nameservers just for `your-domain.com`** and enter the subdomains used for the ZCNS names (for example, `ns1`, `ns2`, `ns3`).
+5. Select **Save** to confirm.
@@ -40,20 +42,19 @@ Use the [Edit zone endpoint](/api/operations/zones-0-patch) and specify the cust
-Cloudflare will assign an IPv4 and an IPv6 address to each ZCNS name and automatically create the associated `A` or `AAAA` records (visible after you refresh the page).
+Cloudflare will assign an IPv4 and an IPv6 address to each ZCNS name and automatically create the associated `A` or `AAAA` records.
The next step depends on whether you are using [Cloudflare Registrar](/registrar/) for your domain:
- If you are using Cloudflare Registrar for your domain, [contact Cloudflare Support](/support/contacting-cloudflare-support/) to add the custom nameservers and IP addresses as glue records to the domain.
-- If you are not using Cloudflare Registrar for your domain, add the zone custom nameservers at your registrar as your authoritative nameservers and as [glue (A and AAAA) records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3). If you do not add these records, DNS lookups for your domain will fail.
-
+- If you are not using Cloudflare Registrar for your domain, add the zone custom nameservers at your registrar as your authoritative nameservers and as glue (A and AAAA) records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)). If you do not add these records, DNS lookups for your domain will fail.
### Secondary zones
If you are using [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), you can still set up zone custom nameservers. After following the [steps above](/dns/nameservers/custom-nameservers/zone-custom-nameservers/#primary-full-setup-zones) to create zone custom nameservers, do the following:
1. Get the ZCNS IPs. You can see them on the dashboard (**DNS** > **Records**) or you can use the [Zone details endpoint](/api/operations/zones-0-get) to get the `vanity_name_servers_ips`.
2. At your primary DNS provider, add [`NS` records](/dns/manage-dns-records/reference/dns-record-types/#ns) and, on the subdomains that you used as ZCNS names, add `A/AAAA` records.
-3. At your registrar, add the zone custom nameservers as your authoritative nameservers and as [glue (A and AAAA) records](https://www.rfc-editor.org/rfc/rfc1912.html#section-2.3).
+3. At your registrar, add the zone custom nameservers as your authoritative nameservers and as glue (A and AAAA) records ([RFC 1912](https://www.rfc-editor.org/rfc/rfc1912.html)).
## Remove zone custom nameservers
@@ -63,7 +64,7 @@ To remove zone custom nameservers (and their associated, read-only DNS records):
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone.
2. Go to **DNS** > **Records**.
-3. On **Custom nameservers**, select **Remove custom nameservers**.
+3. On **Custom nameservers**, select **Disable**.
diff --git a/src/content/docs/dns/nameservers/index.mdx b/src/content/docs/dns/nameservers/index.mdx
index 80c791f2f0ff327..6d1adfb7dfb908a 100644
--- a/src/content/docs/dns/nameservers/index.mdx
+++ b/src/content/docs/dns/nameservers/index.mdx
@@ -20,7 +20,7 @@ Regardless of the type you choose, for these nameservers to be authoritative for
### Standard nameservers
-When you add a domain on a [primary (full)](/dns/zone-setups/full-setup/) DNS setup, Cloudflare automatically assigns two standard nameservers for your zone.
+Unless your account has a specific [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) configuration, when you add a domain on a [primary (full)](/dns/zone-setups/full-setup/) or [secondary](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/) DNS setup, Cloudflare automatically assigns two standard nameservers for your zone.
Standard nameservers are hosted on `ns.cloudflare.com` and follow the pattern `.ns.cloudflare.com`.
diff --git a/src/content/docs/dns/nameservers/nameserver-options.mdx b/src/content/docs/dns/nameservers/nameserver-options.mdx
index 303810d45d36b27..327d70e20e8ae65 100644
--- a/src/content/docs/dns/nameservers/nameserver-options.mdx
+++ b/src/content/docs/dns/nameservers/nameserver-options.mdx
@@ -10,9 +10,25 @@ import { Example } from "~/components"
Refer to the sections below to learn about different nameserver options.
+## Assignment method
+
+When you add a domain on a full or secondary setup, Cloudflare automatically assigns your nameservers.
+
+The [default assignment method](/dns/zone-setups/reference/nameserver-assignment/) is to use standard nameservers and favor consistent nameserver names across all zones within an account. Nonetheless, in case there are conflicts - for example, if someone else has already added the same zone to a different account - you may get different nameserver names.
+
+To have control over what nameservers are assigned for different zones within an account, you can use [account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/).
+
+### DNS zone defaults
+
+If you have an Enterprise account, you also have the option to [configure your own DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and change how Cloudflare handles nameserver assignment when you add a new zone to your account:
+
+- **Standard nameservers randomized**: instead of attempting consistency, Cloudflare assigns random pairs of nameserver names every time you add a new domain to your account.
+- **Advanced nameservers**: Cloudflare uses the same method as the default - trying to keep nameserver names consistent for different zones within an account - but uses the specific [Foundation DNS nameservers](/dns/foundation-dns/advanced-nameservers/).
+- **Account custom nameservers**: Cloudflare automatically assigns a set of [account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/) that you have previously configured for your account. In this method, **Set 1** will be attempted first and, in case of any conflicts, Cloudflare will cycle through the other nameserver sets, in ascending order.
+
## Multi-provider DNS
-Multi-provider DNS is an optional setting for zones using [full setup](/dns/zone-setups/full-setup/) and is an enforced default behaviour for zones using [secondary setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/).
+Multi-provider DNS is an optional setting for zones using [full setup](/dns/zone-setups/full-setup/) and is an enforced default behavior for zones using [secondary setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/).
When you enable multi-provider DNS on a primary (full setup) zone:
@@ -32,6 +48,14 @@ This means that responses to DNS queries made to the zone apex and requesting `N
:::caution
-If you choose this option, you should also make sure to set up [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/).
+If you choose this option and you also want to use DNSSEC on your zone, make sure to set up [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/).
+
+:::
+
+## Nameserver TTL
+
+For both Cloudflare nameservers (standard or advanced) and custom nameservers, the `NS` record time-to-live (TTL) is controlled by the specific setting in **DNS** > **Records** > **DNS record options**.
+
+The default TTL is 24 hours (or 86,400 seconds), but you have the option to lower this value depending on your needs. For example, shorter TTLs can be useful when you are changing nameservers or migrating a zone. Accepted values range from 30 to 86,400 seconds.
-:::
\ No newline at end of file
+This setting can also be configured as a [DNS zone default](/dns/additional-options/dns-zone-defaults/), meaning new zones created in your account will automatically start with the value you define.
\ No newline at end of file
diff --git a/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx b/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx
index ffd70aca7be9514..f0cb516ee5fd759 100644
--- a/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx
+++ b/src/content/docs/dns/zone-setups/reference/nameserver-assignment.mdx
@@ -8,16 +8,14 @@ When you add a domain on a [primary (full)](/dns/zone-setups/full-setup/) or [se
Each domain's assigned nameservers may be different than other domains, even if those domains are within the same account.
-These nameserver assignments cannot be changed unless you set up [custom or vanity nameservers](/dns/nameservers/custom-nameservers/).
+These nameserver assignments cannot be changed. However, depending on your subscription, you may have different options to [control the nameservers assignment method](/dns/nameservers/nameserver-options/#assignment-method) or to use your own [custom nameservers](/dns/nameservers/custom-nameservers/).
:::caution
-
To prevent domain hijacking, you can no longer preset Cloudflare nameservers at your registrar before creating the respective zone in Cloudflare. If you preset your nameservers and then add the domain, your domain will be assigned a new pair of nameservers.
To keep the same nameservers across your domains, use [Account custom nameservers](/dns/nameservers/custom-nameservers/account-custom-nameservers/).
-
:::
For more background on nameserver assignments, refer to [our blog](https://blog.cloudflare.com/whats-the-story-behind-the-names-of-cloudflares-name-servers/).
diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx
index add064c80c8c376..0bd55c4b9637263 100644
--- a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx
+++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-primary/setup.mdx
@@ -116,7 +116,11 @@ It should also have updated [Access Control Lists (ACLs)](/dns/zone-setups/zone-
Using the information from your secondary DNS provider, [create `NS` records](/dns/manage-dns-records/how-to/create-dns-records/#create-dns-records) on your zone apex listing your secondary nameservers.
-By default, Cloudflare ignores `NS` records that are added to the zone apex. To modify this behaviour, enable [multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns):
+By default, Cloudflare ignores `NS` records added to the zone apex. To modify this behavior, enable [multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns):
+
+:::note
+If your account [zone defaults](/dns/additional-options/dns-zone-defaults/) are already defined to have **Multi-provider DNS** enabled, this step may not be necessary.
+:::
@@ -127,6 +131,8 @@ By default, Cloudflare ignores `NS` records that are added to the zone apex. To
+Send the following `PATCH` request replacing the placeholders with your zone ID and authentication information:
+
```bash
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \
diff --git a/src/content/partials/dns/acns-tcns-intro.mdx b/src/content/partials/dns/acns-tcns-intro.mdx
index 53d0b616fc2937f..d75bd29c06d9035 100644
--- a/src/content/partials/dns/acns-tcns-intro.mdx
+++ b/src/content/partials/dns/acns-tcns-intro.mdx
@@ -9,4 +9,4 @@ import { Markdown } from "~/components"
{props.two}CNS are organized in different sets (`ns_set`) and {props.two}CNS names can be provided by any domain, even if the domain does not exist as a zone in Cloudflare.
-For instance, if the {props.two}CNS are `ns1.example.com` and `ns2.vanity.org`, the domains `example.com` and `vanity.org` are not required to be zones in Cloudflare.
+For instance, if the {props.two}CNS are `ns1.example.com` and `ns2.vanity.test`, the domains `example.com` and `vanity.test` are not required to be zones in Cloudflare.