Convert full setup to secondary setup
If you initially configured a full setup, you can later convert your zone to use incoming zone transfers (Cloudflare as secondary).
- 
Meaning you have one or more subdomains ( sub.example.com) added to Cloudflare as their own zone, separate from your apex domain (example.com). ↩
Follow the steps below to achieve this conversion.
- 
Import the zone file into your new primary DNS provider. 
- 
At your Cloudflare zone, use the Update DNS Settings endpoint to enable secondary DNS overrides. Set the value for secondary_overridestotrue.
- 
Make adjustments to DNSSEC according to your option for DNSSEC with secondary setup. 
- 
(Optional) Create a Transaction Signature (TSIG). A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server. While optional, this step is highly recommended. To create a TSIG using the dashboard: - Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Manage Account > Configurations.
- Select DNS Zone Transfers.
- For TSIG, select Create.
- Enter the following information:
- TSIG name: The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2 ↗).
- Secret (optional): Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret.
- Algorithm: Choose a TSIG signing algorithm.
 
- Select Create.
 To create a TSIG using the API, send a POST request. 
- 
Create a peer server. To create a peer server using the dashboard: - Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Manage Account > Configurations.
- Select DNS Zone Transfers.
- For Peer DNS servers, select Create.
- Enter the following information, paying particular attention to:
- IP: Specifies where Cloudflare sends transfer requests to.
- Port: Specifies the IP Port for the transfer IP.
- Enable incremental (IXFR) zone transfers: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.
- Link an existing TSIG: If desired, link the TSIG you previously created.
 
- Select Create.
 To create a peer DNS server using the API, send a POST request. 
- Use the Edit Zone endpoint with typeset tosecondaryto convert the zone type. The existing records will remain in place.
- Go to DNS > Settings > DNS Zone Transfers and select Manage linked peers.
- Link the peer server you created in the previous steps and select Save.
- On DNS > Settings, select Initiate zone transfer.
- Confirm the DNS records are transferring as expected.
- Go to DNS > Records ↗ and take note of your new Cloudflare Nameservers.
- At your domain registrar (or parent zone), update your nameservers to include the secondary.cloudflare.comnameservers.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark