Skip to content

Migrate an existing zone with DNSSEC enabled

Follow this tutorial to migrate an existing DNS zone to Cloudflare without having to disable DNSSEC.

This is an advanced procedure and assume some familiarity with DNS concepts, API operations, and basic setup steps. Assumed knowledge that is not detailed in this tutorial can be referenced through the linked content in each of the steps.

Requirement

The provider you are migrating from must allow you to add DNSKEY records on the zone apex and use these records in responses to DNS queries.

1. Set up Cloudflare

  1. Add your zone to Cloudflare.

    To add your zone using the API, refer to the Create Zone endpoint.

  2. Review the records found by the automatic scan or import your zone file.

    To import the zone file using the API, refer to the Import DNS Records endpoint.

  3. Go to DNS > Settings, and select Enable DNSSEC. Or use the following API request.

Terminal window
curl --request PATCH \
https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"status": "active"}'
  1. Go to DNS > Settings, and enable Multi-signer DNSSEC. Or use the following API request.
Terminal window
curl --request PATCH \
https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"dnssec_multi_signer": true}'

2. Cross-import ZSKs

  1. Add the ZSK of your previous provider to Cloudflare by creating a DNSKEY record on your zone.

You can do this on the dashboard or through the Create DNS Record endpoint, as in the following example.

Terminal window
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"type": "DNSKEY",
"name": "<ZONE_NAME>",
"data": {
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "<PUBLIC_KEY>"
},
"ttl":3600
}'
  1. Get Cloudflare’s ZSK using either the API or a query from one of the assigned Cloudflare nameservers.

API example:

Terminal window
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"

Command line query example:

Terminal window
dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256
  1. Add Cloudflare’s ZSK that you fetched in the last step to your previous provider.

3. Set up registrar

  1. Add Cloudflare DS record to your registrar. You can see your Cloudflare DS record on the dashboard by going to DNS > Settings > DS Record.
  2. Add Cloudflare assigned nameservers to your registrar. You can see your Cloudflare nameservers by going to DNS > Records.

At this point your zone is in a multi-signer DNSSEC setup.

4. Remove previous provider

  1. Remove your previous provider’s DS record from your registrar.
  2. Remove your previous provider’s nameservers from your registrar.
  3. After waiting at least one and a half times the TTL of your previous provider DS record, you can remove the DNSKEY record (containing your previous provider ZSK) that you added to your Cloudflare zone in step 2.