Contents
Migrate a zone with DNSSEC enabled https://developers.cloudflare.com/dns/dnssec/dnssec-active-migration/
Follow this tutorial to migrate an existing DNS zone to Cloudflare without having to disable DNSSEC.
This procedure involves cross-importing the zone signing keys (ZSKs) from one provider to the other. To learn more about this, consider this article about multi-signer DNSSEC or refer to RFC 8901.
Multi-Signer DNSSEC Models
This is an advanced procedure and assume some familiarity with DNS concepts, API operations, and basic setup steps. Assumed knowledge that is not detailed in this tutorial can be referenced through the linked content in each of the steps.
1. cloudflare
- Enable multi-signer DNSSEC using the following request. This step can only be achieved via the API.
- Cross-import ZSKs
- Add the ZSK of your previous provider to Cloudflare by creating a DNSKEY record on your zone.
- Add Cloudflare’s ZSK that you fetched in the last step to your previous provider.
3. Set up registrar
- Add Cloudflare DS record to your registrar. You can see your Cloudflare DS record on the dashboard
by going to DNS > Settings > DS Record. Add Cloudflare assigned nameservers to your registrar. You can see your Cloudflare nameservers by going to DNS > Records.
At this point your zone is in a multi-signer DNSSEC setup.
You can do this on the dashboard or through the Create DNS Record endpoint, as in the following example.
4. Remove previous provider
- Remove your previous provider’s DS record from your registrar. Remove your previous provider’s nameservers from your registrar. After waiting at least one and a half times the TTL
of your previous provider DS record, you can remove the DNSKEY record (containing your previous provider ZSK) that you added to your Cloudflare zone in step 2.