DNSSEC questions about transferring very important domain from Google Domains to Cloudflare


I want to use Cloudflare on my domain that I use for my primary email address, so as you can imagine this is very very important that I not screw this up and have any downtime. Eventually,I want to transfer my domain to Cloudflare and ditch Google domains completely. I just had a few questions.

I plan to change my nameservers over to Cloudflare’s nameservers for a couple weeks before transferring the domain itself.

So my domain at Google Domains has DNSSEC enabled. I am under the impression that I will need to disable this at Google Domains first, and that when I do, Google Domains will un-publish the DS records.

Do I need to disable DNSSEC before changing my nameservers to Cloudflare’s nameservers? When I disable DNSSEC, do I need to manually unpublish the DNSKEY records?

Do I need to disable DNSSEC before transferring the domain name itself to Cloudflare’s registrar?

My understanding of how this needs to work is as follows:

  1. Disable DNSSEC at Google Domains and leave it disabled for a few days.
  2. Switch to Cloudflare’s nameservers
  3. Enable DNSSEC at Cloudflare and wait a few days
  4. Transfer the domain itself to Cloudflare’s registrar.

Is my understanding correct? Again, I really need to not screw this up because this is a very important domain to me, and it’s critical that I have zero downtime.

I should also mention that it’s a .com domain.


Thank you for asking.

Yes, good practice.

  1. Disable DNSSEC at your current domain registrar.
  2. Make sure to double-check for any existing DS records, therefore remove them.
  3. Wait for 48 hours at least, double-check via Verisign DNSSEC or DIG for the DNSSEC status and DS record(s) existance - make sure there are none and DNSSEC disabled.
  4. Proceed to transfer out your domain to your new registrar by unlocking your domain at Google for transfering out and getting the EPP key.
  5. Make a request at Cloudflare to transfer your .com domain to the Cloudflare Registrar following the regular procedure.

Kindly, keep in mind, once you’re domain registrar is Cloudflare Registrar, you won’t be able to change you domain nameservers and point them to some other ns.registrar.com nameservers different than the ones which are assigned to your Cloudflare account.

If the domain name is registered at Cloudflare Registrar, unfortunately, currently you cannot change the nameservers if you use Cloudflare as a domain registrar. Currently, Cloudflare Registrar only lets you use Cloudflare name servers. If you want to use external name servers, you’d have to transfer your domain registration to a different registrar.

More about it, here:

Correct, from my experience and point of view, except the 3. point in which DNSSEC would be enabled after the domain is at Cloudflare Registrar - either automatically, otherwise you can enable it manually from the dashboard.

In case anything happens, just make sure to create a topic here, so we could help investigate, therefore if you write to the Cloudflare Support and make a ticket we could escalate it since it’s DNSSEC related.

Make sure to double-check and backup your DNS records from Google Domains.
Once transfered/added to your Cloudflare account, double-check if they’re okay and existing (since Cloudflare does scan for them, sometimes issues if customers are using an apex * wildcard DNS record at their ex-registrar/hosting).
I’d suggest, make sure all fo the DNS records are set to unproxied :grey:.

Make sure you have a valid SSL certificate and that your Website is working okay before moving to the Cloudflare.

Under the SSL/TLS tab settings, if true and valid SSL cert, make sure tu select “Full (Strict) SSL” option.

Make sure that your origin host/server and/or firewall allows Cloudflare IPs to connect:

Once ready, switch one by one DNS records to :orange:.

Feel free to write in any time here at the :orange: Community for more help :wink:

Helpful articles:

When you turn off DNSSEC, Google Domains immediately unpublishes your domain’s DS records. After that change updates across the internet, your domain is no longer DNSSEC protected. This can take up to 48 hours. To complete the DNSSEC deactivation, Google Domains might unsign your DNS zone.

Hope above helps you a bit.



Wow, fantastic answer! You’re so helpful!

I very rarely do anything with managing my domain names, so it’s always super stressful when I do because I don’t want to mess up a domain that is critical to my personal and professional email. Thanks for the good response.

So here is what I will do.

  1. Disable DNSSEC at Google Domains
  2. Wait a few days for the removal of the DS records to propagate.
  3. Confirm that the DS records are gone from various resolvers around the web. (Not sure what to do about DNSKEY records though, would Google remove them?)
  4. Change my nameservers from Google’s nameservers to Cloudflare’s nameservers, and set everything to unproxied. Wait a couple more days.
  5. Transfer my domain to Cloudflare Registrar.
  6. Profit.

Does this look good to you?

Thanks so much!

1 Like

Once you’r domain is transfered to Cloudflare, it’ll contain Cloudflare’s nameservers by default.

You don’t change domain nameservers at Google and point them to Cloudflare’s nameservers before the domain is transfered to Cloudflare Registrar.
Keep them “as-is” to point at Google until the process of transfering your domain is done.
Once done, they’d automatically be already set to the ones which are assigned your Cloudflare account (if you login to the Cloudflare dashboard, or if you have some zone already added which is using Cloudflare, you can find them and inspect by navigating to the DNS tab of the Cloudflare dashboard).
Once the domain is at Cloudflare, you’d be able to manage your DNS records at Cloudflare dashboard, therefrom you double-check them and make sure they’re unproxied :grey: .

The part which I a bit forgot since I’ve done this years ago, might be something changed, but as far as I know, you manage the DNS records (A, MX, TXT…) once the domain/zone is addad to your Cloudflare account.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.