Removal on "zone_set" from API

Cloudflare is forgetting its roots. Without a group of original partners, there is no CF today. I am sure no one will object when I say this. It was this group of original partners that enabled CF to enter China. I am the partner in China, the original version and the latest portal sales enterprise plan.

Please do not ignore the voice of the original partner. This will make CF no credibility in the future.

1 Like

We are the current enterprise version sales partner in China and the original HOST API partner. We have developed our own apps to serve our customers in China. But all applications rely on the HOST API. Cloudflare now disables the Host API. This greatly affects the visit of customers in China. Dash.chungtat.com visits in China are extremely volatile. We serve mainland China. This is no doubt an attempt to drive us to destruction. We hope the partner team can face up to the problems and solve them. Not one size fits all.

1 Like

Since CF are ignoring us (8 day old ticket with no reply from CF), has anyone already contacted [email protected] to see if they can get an answer/story out of CF?

So the issue isn’t a security issue. It’s a pay up partners issue. Check out this reply. Pretty sad.

Cloudflare currently has two partner programs, a legacy one that utilises the Host API and a new one that utilises the Tenant API (https://cloudflare.com/partners). In an emergency change, Cloudflare had to disable the partial setup on the legacy Host API. Partners that have a high minimum spending can apply for the new Partners API. If the application for the new program was rejected, then I’m afraid that there is no option to continue using the CNAME/partial setups through the Partners API.
The domains that are already active should not be changed or have any effect, however, the new zones going forward would need to be on a full setup. We are checking with our teams internally on your questions, and will get back to you once we have more information.

1 Like

Was that a reply from support or a public URL? (It does appear to explain their actions though.)

Hey everyone,

We know that this has caused pain for many of you, so let me share a bit about why we made this change and what you can do about it.

Why the sudden change?
We discovered a security vulnerability in the zone_set operation of the Host API. Our only available recourse was to disable the endpoint. We sent an email as a heads up, but couldn’t wait to make the change even though we knew it would likely break many partners existing workflows.

What can be done going forward?
To re-iterate, the zone_set API will not be re-enabled in any form. The two recommended options are:
A) Migrate to using the full_zone_set API to onboard customers.
B) Migrate to using the tenant API offered through our updated partner program. This API allows you to create partial zones, but requires those zones to be authenticated with TXT records.

I hope that you can understand that we didn’t make this decision lightly, and that the security of our customers and platform required us to take action.

6 Likes

wouldn’t it been a better solution to add TXT verification to zone_set than effectively killing our clients ongoing projects now causing months of delays? Clients that already spend thousands of $ every month.

The “updated” partner program looks like a different deal and setup, and I assume you have no way of converting a Hosting partner to the new program, keeping current zones as is.

1 Like

I believe that the partner program should serve everyone, without requiring a minimum cost.
(Which is what is happening with the new API. Asking for an annual cost of at least $1000)

That would be interesting.
So we could provide your services free of charge to our customers and as partners we could get a good discount when offering your paid services to our customers.

We are really very disappointed.
Everything that is happening is due to money.

I finally got some solid information from CF Customer Development.

Requirements for the lowest tier of Partnership.

  • Certifications = 2 Sales & 1 Technical resources
    *** Monthly Recurring Revenue = $10k+**
  • Reference Customers: 1 per year

TXT verification on zone_set was an option we considered, but unfortunately wasn’t possible due to constraints in the legacy system. The zone_set API works differently than our standard partial zone setup in many ways that we couldn’t reconcile.

Our plan has always been to let the legacy host API exist until there was a clear migration path to the tenant API, which is the host API’s successor. It follows a similar workflow but incorporates all the latest Cloudflare has to offer. This security issue forced us to take action sooner against the zone_set endpoint.

Will there be a write-up on what this security issue was at any point? :eyes:

1 Like

I’ve heard they will allow you to post a 10m bond and instead charge $500k per violation of their security practices. Should be super cheap cyber insurance if you have legitimate controls in place as a reputable partner.

3 Likes

Just kidding… security of customers doesn’t have a price tag to compromise at Cloudflare as far as I know. Seems like a horrible business practice if it was all about money but :man_shrugging: I don’t have a degree in finance.

2 Likes

And that $10k is the driving commercial factor here. A good way to thin partners down to only the highest spenders. Sad, but it is CF’s choice. We won’t be able to offer, or even promote CF to clients now.

So glad to find this one here - all attempts to contact CF were met with auto-close ticket replies or blank confusion from staff members who had never heard of the hosting partner programme.

Definitely a way to get rid of the programme in my view. Shame it was done so suddenly and with no follow up.

Note that modifications are also not possible, not just new creates.

1 Like

Well, that is the reason why Cloudflare did not fix our bug with the “Bot Fight Mode” we have for 3 months now. GGWP Cloudflare.

How to get rid of your unprofitable partners without getting get rid of your unprofitable partners! :stuck_out_tongue:

So just to confirm the successor is $10k/mo minimum commit?

You need to be more transparent.

So goodbye Cloudflare… it was nice to meet you

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.