I registered a brand new domain to use with Cloudflare (at a third party registrar, as Cloudflare registrar doesn’t support the TLD I needed). I specified two Cloudflare NS servers right after the registration – because I want to use it with Cloudflare and because I don’t have access to any other DNS hosting platform.
Then, I’m unable to onboard this new domain to Cloudflare. The error message I receive is “example.xyz is not a registered domain”. I’m checking NS records via my local resolver (that happens to also be Cloudflare) and getting rcode=REFUSED. Basically, because Cloudflare doesn’t have the zone file for this domain, so it doesn’t resolve, so Cloudflare can’t verify it, so it can’t be onboarded and Cloudflare won’t have the zone file unless it’s onboarded etc etc. Chicken-and-egg problem.
Currently the only workaround is to temporarily provision the zone on Route53, Azure or any other DNS hosting and then migrate it to Cloudflare which is counterintuitive (see support ticket 2355190). There has to be a better way of onboarding new domains.
Changing the nameservers to point to Cloudflare before you add the site to your Cloudflare account is a security risk, and won’t work as Cloudflare checks for responsive nameservers before adding your site. As they have not been assigned to your domain yet, they won’t respond and you’ll most likely see the error example.com is not a registered domain.
You should be aware of the risks associated with changing your nameservers to Cloudflare’s before adding the site to your account. You are changing the nameservers to point to a service that you don’t yet control. Cloudflare has over 2,500 nameserver combinations but there are a lot more than 2,500 accounts. The nameserver pair you are changing to won’t be unique to you. This is why nameservers are domain specific, not account level. When you add a domain, by default you will use the same pair of nameservers as the rest of your domains, however if the domain has already been added to another accout with the same pair, you will be given different ones to point to. This ensures that the domain is always under the control of the rightful owner, but only works if you follow the correct process to add the site in your dashboard and then change the nameservers to the pair requested.
Thank you for your reply. I understand the reason and it makes sense. But what this is essentially saying to a customer: “In order to use our DNS hosting services, you need to sign up for some other DNS hosting service first”. So, perhaps Cloudflare would come up with a separate onboarding workflow for brand new domains when NS is pointing to [Random GUID].ns.cloudflare.com just for verification purposes or something clever like this. Or at least modify the error message to be more clear in this specific case (they can detect this scenario, because the NS records resolve just fine when querying DNS servers authoritative over that TLD – meaning it’s a valid domain and not just random string of characters). That is the purpose of my feedback.