Zero-downtime-failover question

Exactly - Since CF is proxying your record, the actual DNS records that users get are the same regardless of your dns config.

This failover feature works by first requesting from one of the IP addresses (still determined via round robin I would guess; not sure if this is documented), and if it fails, sending the same request to the other IP address.

Do remember that it only retries for certain status codes - so any other 5xx class error like 500, 502, 504, etc. won’t be retried on the other IP.

Cloudflare currently retries only once for HTTP 521, 522, and 523response codes.