Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DNS] Exposed DNS settings in dash #16428

Merged
merged 17 commits into from
Dec 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions src/content/docs/dns/additional-options/dns-zone-defaults.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
pcx_content_type: how-to
title: Zone defaults
sidebar:
order: 3
---

# Configure DNS zone defaults

While there are default values for DNS settings that Cloudflare applies to all new zones, Enterprise accounts have the option to configure their own DNS zone defaults according to their preference.

:::caution
DNS zone defaults are only applied at the moment a new zone is created and will not impact already existing zones. Any of the values specified as default can later be adjusted within each zone, on the respective [**DNS** > **Settings**](https://dash.cloudflare.com/?to=/:account/:zone/dns/settings) or [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) page.
:::

## Steps

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account.
2. Go to **Manage Account** > **Configurations** > **DNS Settings**.
3. For **DNS zone defaults**, select **Configure defaults**.

The values you select for the listed settings will be automatically applied to new zones as you add them to your Cloudflare account.

## Available settings

- [Nameserver assignment](/dns/nameservers/nameserver-options/#assignment-method): Select your preferred nameserver type or assignment method that you want Cloudflare to use for your new zones. This setting applies both to primary zones ([full setup](/dns/zone-setups/full-setup/)) and [secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/).

For primary zones:

- [Multi-provider DNS](/dns/nameservers/nameserver-options/#multi-provider-dns): Control whether or not Cloudflare will consider `NS` records you add on the zone apex and if zones that contain external nameservers listed in the registrar will be activated.
- [Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl): Control how long, in seconds, your nameserver (`NS`) records are cached. The default time-to-live (TTL) is 24 hours. This setting applies both to Cloudflare nameservers and [custom nameservers](/dns/nameservers/custom-nameservers/).
- [SOA record](/dns/manage-dns-records/reference/dns-record-types/#soa): Adjust values for the start of authority (SOA) record that Cloudflare creates for your zone.

For secondary zones:

- [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/): Enable the options to use Cloudflare [proxy](/dns/manage-dns-records/reference/proxied-dns-records/) and add `CNAME` records at your zone apex.

Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare.
4 changes: 2 additions & 2 deletions src/content/docs/dns/additional-options/reverse-zones.mdx
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
pcx_content_type: how-to
title: Reverse zones and PTR records
weight: 0

sidebar:
order: 5
---

import { Details, Example } from "~/components"
Expand Down
90 changes: 74 additions & 16 deletions src/content/docs/dns/dnssec/multi-signer-dnssec/setup.mdx
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
---
pcx_content_type: how-to
title: Setup
title: Set up multi-signer DNSSEC
sidebar:
order: 5
head:
- tag: title
content: Set up multi-signer DNSSEC
label: Setup
---

This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).
import { Tabs, TabItem } from "~/components";

This page explains how you can enable [multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/about/) with Cloudflare, using the [model 2](/dns/dnssec/multi-signer-dnssec/about/#model-2) as described in [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).

## Before you begin

Expand All @@ -20,12 +20,29 @@ Note that:

## 1. Set up Cloudflare zone

:::note
### Cloudflare as Primary (full setup)

If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following:

<Tabs syncKey="dashPlusAPI">
<TabItem label="Dashboard">
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone.
2. Go to **DNS** > **Settings**.
3. Select **Enable DNSSEC** and **Confirm**.

The following steps also apply if you use [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), with the difference that, in such case, the records in steps 2 and 3 should be transferred from the primary, and step 4 is not necessary.
:::note
For the purpose of this tutorial, you will update your registrar with the DS record later, in [Step 3](/dns/dnssec/multi-signer-dnssec/setup/#3-set-up-registrar).
:::

1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. This is done by setting `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example.
4. Also enable **Multi-signer DNSSEC** and **Multi-provider DNS**.
5. Go to **DNS** > **Records** and create the following records at your zone apex (meaning you should use `@` in the record **Name** field):
- A [DNSKEY record](/dns/manage-dns-records/reference/dns-record-types/#ds-and-dnskey) with the zone signing key(s) (ZSKs) of your external provider(s).
- A [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) with your external provider nameservers.

</TabItem>
<TabItem label="API">

1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example.

```bash
curl --request PATCH \
Expand Down Expand Up @@ -74,27 +91,68 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
}'
```

4. Enable the usage of the nameservers you added in the previous step by using the API request below. Alternatively, go to [**DNS** > **Settings**](https://dash.cloudflare.com/?to=/:account/:zone/dns/settings) and enable **Multi-provider DNS**.
4. Enable the usage of the nameservers you added in the previous step by using the API request below.

:::caution
This step is required. Without turning on this setting, Cloudflare will ignore any `NS` records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting `NS` records will only contain Cloudflare nameservers.
:::

```bash
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"multi_provider": true
}'
```

</TabItem>
</Tabs>

### Cloudflare as Secondary

This step is required if you are using Cloudflare as a primary DNS provider - without enabling this setting, Cloudflare will ignore any `NS` records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting `NS` records will only contain Cloudflare nameservers.
If you use Cloudflare as a secondary DNS provider, do the following:

If you are using [Cloudflare as a secondary DNS provider](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/), this step is not necessary.
<Tabs syncKey="dashPlusAPI">
<TabItem label="Dashboard">

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and zone.
2. Go to **DNS** > **Settings**.
3. For **DNSSEC with Secondary DNS** select **Live signing**.

:::note
For the purpose of this tutorial, you will update your registrar with the DS record later, in [Step 3](/dns/dnssec/multi-signer-dnssec/setup/#3-set-up-registrar).
:::

4. Also enable **Multi-signer DNSSEC**.
5. Add the zone signing key(s) (ZSKs) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
6. Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.

</TabItem>
<TabItem label="API">

1. Use the [Edit DNSSEC Status endpoint](/api/operations/dnssec-edit-dnssec-status) to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set `status` to `active` and `dnssec_multi_signer` to `true`, as in the following example.

```bash
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \
$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"multi_provider": true
"status": "active",
"dnssec_multi_signer": true
}'
```

2. Add the ZSK(s) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.

3. Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.

</TabItem>
</Tabs>

## 2. Set up external provider

1. Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
Expand All @@ -110,7 +168,7 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk" \
Command line query example:

```sh
dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256
$ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256
```

2. Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
Expand All @@ -120,4 +178,4 @@ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256

1. Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/dns) by going to **DNS** > **Settings** > **DS Record**.

2. Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.
2. Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ sidebar:

---

import { Render } from "~/components"
import { Details, Render } from "~/components"

This page provides information about some of the different types of DNS records that you can manage on Cloudflare. For guidance on how to add, edit, or delete DNS records, refer to [Manage DNS records](/dns/manage-dns-records/how-to/create-dns-records/).

Expand Down Expand Up @@ -318,20 +318,73 @@ Within Cloudflare, PTR records are used for reverse DNS lookups and should prefe

### SOA

A [start of authority (SOA)](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) record stores information about your domain such as admin email address, when the domain was last updated, and more.
A start of authority (SOA) record stores information about your domain such as admin email address, when the domain was last updated, and more. Refer to [What is a DNS SOA record](https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/) for an example.

If you are using Cloudflare for your [authoritative DNS](/dns/zone-setups/full-setup/), you do not need to create an SOA record. Cloudflare creates this record automatically when you start using Cloudflare's authoritative nameservers.

<Render file="api-field-definitions" />
If you have an Enterprise account, you also have the option to change the SOA record values that Cloudflare will use.
You can do that for existing zones by going to **DNS** > **Records** > **DNS record options**, or you can configure your own [DNS zone defaults](/dns/additional-options/dns-zone-defaults/) and define the SOA record values that Cloudflare will use for all new zones added to your account.

Refer to the following list for information about each SOA record field:

<Details header="SOA record fields">

* **`MNAME`**: The primary nameserver for the zone. Secondary nameservers receive zone updates from the nameserver specified in this field.
* **`RNAME`**: The email address of the administrator responsible for the zone.

The `@` symbol is replaced by the first dot. If an email address contains a dot before `@`, this should be represented as `\.`.

| Email | `RNAME` |
|---------------------------|-------------------------|
|`john@example.com` | `john.example.com` |
|`john.doe@example.com` | `john\.doe.example.com` |

* **`Serial`**: The serial number for the zone. Secondary nameservers initiate zone transfers if this number increases.
* **`Refresh`**: Time (in seconds) after which a secondary nameserver should query the primary for the `SOA` record, to detect zone changes. Only relevant if DNS NOTIFY ([RFC 1996](https://www.rfc-editor.org/rfc/rfc1996.html)) is not configured.

| Default | Minimum | Maximum |
|--------------|------------|----------|
|`10000` | `600` | `86400` |

* **`Retry`**: Time (in seconds) after which a secondary nameserver should retry getting the serial number from the primary nameserver after a failed attempt. Any specified values must not be greater than `Refresh`.

| Default | Minimum | Maximum |
|--------------|------------|----------|
|`2400` | `600` | `3600` |

* **`Expire`**: Time (in seconds) after which a secondary nameserver should stop answering queries for a zone if the primary does not respond. Any specified values must not be smaller than `Refresh`.

| Default | Minimum | Maximum |
|--------------|------------|-----------|
|`604800` | `86400` | `2419200` |

* **`Record TTL`**: The [time to live](/dns/manage-dns-records/reference/ttl/) of the SOA record.

| Default | Minimum | Maximum |
|--------------|------------|----------|
|`3600` | `1800` | `3600` |

* **`Minimum TTL`**: The TTL for caching negative responses. Refer to [RFC 2308](https://www.rfc-editor.org/rfc/rfc2308.html#section-4) for details.

| Default | Minimum | Maximum |
|--------------|------------|----------|
|`1800` | `60` | `86400` |


</Details>

### NS

A [nameserver (NS) record](https://www.cloudflare.com/learning/dns/dns-records/dns-ns-record/) indicates which server should be used for authoritative DNS.

You only need to add NS records when you are [creating custom or vanity nameservers](/dns/nameservers/custom-nameservers/), using [subdomain setup](/dns/zone-setups/subdomain-setup/), or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/).
You only need to add NS records to your DNS records table in Cloudflare when you are using [subdomain setup](/dns/zone-setups/subdomain-setup/) or [delegating subdomains outside of Cloudflare](/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/).

<Render file="api-field-definitions" />

:::note
Your assigned Cloudflare nameservers, custom nameservers, and their corresponding [nameserver TTLs](/dns/nameservers/nameserver-options/#nameserver-ttl) are controlled via dedicated sections in [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records). For details, refer to [Nameservers](/dns/nameservers/).
:::

### DS and DNSKEY

[DS and DNSKEY](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) records help implement DNSSEC, which cryptographically signs DNS records to prevent domain spoofing.
Expand Down
4 changes: 4 additions & 0 deletions src/content/docs/dns/manage-dns-records/reference/ttl.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,7 @@ It may take longer than 5 minutes for you to actually experience record changes,
## Unproxied records

For **DNS only** records, you can choose a TTL between **30 seconds** (Enterprise) or **60 seconds** (non-Enterprise) and **1 day**.

## Nameserver TTL

[Nameserver TTL](/dns/nameservers/nameserver-options/#nameserver-ttl) is a separate feature and only affects Cloudflare nameservers and custom nameservers. For other [NS records](/dns/manage-dns-records/reference/dns-record-types/#ns) on your DNS records table, TTL is controlled by their respective TTL fields.
Loading
Loading