From 3b4ab27a5e047a096ff7cc567a6b4c999702628a Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 17 Jul 2025 13:10:51 +0100 Subject: [PATCH 1/5] Create dedicated section for properties and link to it from #setup --- .../docs/dns/reference/domain-connect.mdx | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/content/docs/dns/reference/domain-connect.mdx b/src/content/docs/dns/reference/domain-connect.mdx index 42a7d4a527c3be4..2b812a2102ecef1 100644 --- a/src/content/docs/dns/reference/domain-connect.mdx +++ b/src/content/docs/dns/reference/domain-connect.mdx @@ -4,8 +4,7 @@ title: Domain Connect sidebar: order: 5 head: [] -description: Learn how to onboard your templates to use Domain Connect with - Cloudflare as DNS provider. +description: Learn how to onboard your templates to use Domain Connect with Cloudflare as DNS provider. --- @@ -32,7 +31,10 @@ Domain Connect templates are published and maintained on a GitHub repository. 1. Create a fork of the [templates repository](https://github.com/Domain-Connect/Templates). 2. Add your template. You can create a copy of one of the existing templates and edit it according to your needs. - * Refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#52-template-definition) for details on the different available fields. + * Refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc) for details on the different available fields. + :::note + Not all properties and fields are supported by Cloudflare, and some will be mandatory for onboarding your template. Refer to the [supported properties](#supported-properties) section below for details. + ::: * If present, you must set the `syncBlock` field on your template to `false`. This means the template flow will be synchronous, which is the only option supported by Cloudflare. * You must also provide a synchronous public key domain (`syncPubKeyDomain` [^1]). When your template is in use, synchronous calls will be digitally signed. 3. Make sure you follow the naming format defined by Domain Connect: `..json`. @@ -64,6 +66,16 @@ Send an email to `domain-connect@cloudflare.com`, including the following inform If you have a [DNS provider discovery](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#dns-provider-discovery) automation in place and will not list new DNS providers manually, Cloudflare can initially restrict your template to be exposed to the specified account only. Once you confirm everything is working as expected, Cloudflare will publish your template on the discovery endpoint, to be picked up by your automation. +## Supported properties + +In the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc) you will find the following properties: + +- Properties that you can use with your [apply template URL](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#apply-template). +- Properties for [defining the template itself](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#template-definition). +- Properties for defining the individual [DNS records](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#template-record). + +While most of these are supported by Cloudflare, some are required and others are not supported. Below is what you need to know when creating your Domain Connect templates to use with Cloudflare. + ## Template updates Since September, 2024, template updates are picked up by an automation. @@ -89,4 +101,4 @@ Send an email to `domain-connect@cloudflare.com` with the following information: 2. A [HAR file](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) attachment containing the problematic update. -[^1]: A domain that can be queried for `TXT` records containing a public key to verify your digital signature. +[^1]: A domain that can be queried for `TXT` records containing a public key to verify your digital signature. \ No newline at end of file From 477ed3143379ee69fca12c205fe2d057431b748e Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 17 Jul 2025 17:32:18 +0100 Subject: [PATCH 2/5] Mention linter tool once again and add section for Apply template URL --- src/content/docs/dns/reference/domain-connect.mdx | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/content/docs/dns/reference/domain-connect.mdx b/src/content/docs/dns/reference/domain-connect.mdx index 2b812a2102ecef1..55211a7c63127b3 100644 --- a/src/content/docs/dns/reference/domain-connect.mdx +++ b/src/content/docs/dns/reference/domain-connect.mdx @@ -5,7 +5,6 @@ sidebar: order: 5 head: [] description: Learn how to onboard your templates to use Domain Connect with Cloudflare as DNS provider. - --- If you are a service provider, consider this page for information on how Cloudflare supports [Domain Connect](https://www.domainconnect.org/) and how you can onboard your template. @@ -76,6 +75,18 @@ In the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blo While most of these are supported by Cloudflare, some are required and others are not supported. Below is what you need to know when creating your Domain Connect templates to use with Cloudflare. +:::note[Linter tool] +Use Domain Connect's [linter tool](https://github.com/Domain-Connect/dc-template-linter) with the option `-cloudflare` enabled to check your template against Cloudflare specific rules. +::: + +### Apply template URL + +- **Redirect URI**: Domain Connect's documentation states that it must be scoped to the `syncRedirectDomain` from the template, or the request must be signed. Cloudflare requires the request to be signed and, as such, does not check if the `redirect_uri` is scoped to the `syncRedirectDomain`. +- **State**: Is not supported and will be ignored. +- **Service Name**: Is not supported and will be ignored. +- **Signature**: Required. It also must be the last query parameter. +- **Key**: Required. You must publish your public key and place it in a DNS TXT record on a domain specified in the template as `syncPubKeyDomain`. To allow for key rotation, the hostname of the TXT record must be appended as another variable on the query string of the form. + ## Template updates Since September, 2024, template updates are picked up by an automation. From 606e9bf7c6479c70c0d8ad03ed1b51ddb4af07b4 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 17 Jul 2025 17:59:17 +0100 Subject: [PATCH 3/5] Add section for template porperties --- src/content/docs/dns/reference/domain-connect.mdx | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/content/docs/dns/reference/domain-connect.mdx b/src/content/docs/dns/reference/domain-connect.mdx index 55211a7c63127b3..9a472d06c80a1b8 100644 --- a/src/content/docs/dns/reference/domain-connect.mdx +++ b/src/content/docs/dns/reference/domain-connect.mdx @@ -87,6 +87,20 @@ Use Domain Connect's [linter tool](https://github.com/Domain-Connect/dc-template - **Signature**: Required. It also must be the last query parameter. - **Key**: Required. You must publish your public key and place it in a DNS TXT record on a domain specified in the template as `syncPubKeyDomain`. To allow for key rotation, the hostname of the TXT record must be appended as another variable on the query string of the form. +### Template definition + +- **Service Provider Name**: Will be displayed on the user interface. +- **Service Name**: Will **not** be displayed on the user interface. +- **Logo**: If present, will be displayed on the user interface. +- **Synchronous Block**: Is not supported and will be ignored. Cloudflare only supports the synchronous flow. +- **Shared**: Is not supported and will be ignored. +- **Shared Service Name**: Is not supported and will be ignored. +- **Synchronous Public Key Domain**: Required. Cloudflare only supports the synchronous flow and always checks for signature. +- **Synchronous Redirect Domains**: Is not supported and will be ignored. Cloudflare looks at the `redirect_uri` provided in the signed apply template url. +- **Multiple Instance**: Is not supported and will be ignored. +- **Warn Phishing**: Is not supported and will be ignored. +- **Host Required**: Is not supported and will be ignored. + ## Template updates Since September, 2024, template updates are picked up by an automation. From 2c2f93f30c13323a6563f4f17e63b4cfa1f91a74 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 17 Jul 2025 18:07:55 +0100 Subject: [PATCH 4/5] Add placeholder section for DNS records and disclaimer paragraph --- src/content/docs/dns/reference/domain-connect.mdx | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/content/docs/dns/reference/domain-connect.mdx b/src/content/docs/dns/reference/domain-connect.mdx index 9a472d06c80a1b8..331156ea2988d6b 100644 --- a/src/content/docs/dns/reference/domain-connect.mdx +++ b/src/content/docs/dns/reference/domain-connect.mdx @@ -73,7 +73,7 @@ In the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blo - Properties for [defining the template itself](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#template-definition). - Properties for defining the individual [DNS records](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#template-record). -While most of these are supported by Cloudflare, some are required and others are not supported. Below is what you need to know when creating your Domain Connect templates to use with Cloudflare. +While most of these are supported by Cloudflare, some are required and others are not supported. :::note[Linter tool] Use Domain Connect's [linter tool](https://github.com/Domain-Connect/dc-template-linter) with the option `-cloudflare` enabled to check your template against Cloudflare specific rules. @@ -81,6 +81,8 @@ Use Domain Connect's [linter tool](https://github.com/Domain-Connect/dc-template ### Apply template URL +For the full list, refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc). Below are the details specific to Cloudflare. + - **Redirect URI**: Domain Connect's documentation states that it must be scoped to the `syncRedirectDomain` from the template, or the request must be signed. Cloudflare requires the request to be signed and, as such, does not check if the `redirect_uri` is scoped to the `syncRedirectDomain`. - **State**: Is not supported and will be ignored. - **Service Name**: Is not supported and will be ignored. @@ -89,6 +91,8 @@ Use Domain Connect's [linter tool](https://github.com/Domain-Connect/dc-template ### Template definition +For the full list, refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc). Below are the details specific to Cloudflare. + - **Service Provider Name**: Will be displayed on the user interface. - **Service Name**: Will **not** be displayed on the user interface. - **Logo**: If present, will be displayed on the user interface. @@ -101,6 +105,12 @@ Use Domain Connect's [linter tool](https://github.com/Domain-Connect/dc-template - **Warn Phishing**: Is not supported and will be ignored. - **Host Required**: Is not supported and will be ignored. +### DNS records + +For the full list, refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc). Below are the details specific to Cloudflare. + + + ## Template updates Since September, 2024, template updates are picked up by an automation. From 10d1311d4590e91ed354c326e2f0e6ed64f8a1ee Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 17 Jul 2025 18:32:40 +0100 Subject: [PATCH 5/5] Fill specifics around DNS record fields and adjust heading --- src/content/docs/dns/reference/domain-connect.mdx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/content/docs/dns/reference/domain-connect.mdx b/src/content/docs/dns/reference/domain-connect.mdx index 331156ea2988d6b..15c22639cb9d040 100644 --- a/src/content/docs/dns/reference/domain-connect.mdx +++ b/src/content/docs/dns/reference/domain-connect.mdx @@ -32,7 +32,7 @@ Domain Connect templates are published and maintained on a GitHub repository. 2. Add your template. You can create a copy of one of the existing templates and edit it according to your needs. * Refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc) for details on the different available fields. :::note - Not all properties and fields are supported by Cloudflare, and some will be mandatory for onboarding your template. Refer to the [supported properties](#supported-properties) section below for details. + Not all fields (properties) are supported by Cloudflare, and some will be mandatory for onboarding your template. Refer to the [properties support](#properties-support) section below for details. ::: * If present, you must set the `syncBlock` field on your template to `false`. This means the template flow will be synchronous, which is the only option supported by Cloudflare. * You must also provide a synchronous public key domain (`syncPubKeyDomain` [^1]). When your template is in use, synchronous calls will be digitally signed. @@ -65,7 +65,7 @@ Send an email to `domain-connect@cloudflare.com`, including the following inform If you have a [DNS provider discovery](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc#dns-provider-discovery) automation in place and will not list new DNS providers manually, Cloudflare can initially restrict your template to be exposed to the specified account only. Once you confirm everything is working as expected, Cloudflare will publish your template on the discovery endpoint, to be picked up by your automation. -## Supported properties +## Properties support In the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc) you will find the following properties: @@ -100,7 +100,7 @@ For the full list, refer to the [Domain Connect Specification](https://github.co - **Shared**: Is not supported and will be ignored. - **Shared Service Name**: Is not supported and will be ignored. - **Synchronous Public Key Domain**: Required. Cloudflare only supports the synchronous flow and always checks for signature. -- **Synchronous Redirect Domains**: Is not supported and will be ignored. Cloudflare looks at the `redirect_uri` provided in the signed apply template url. +- **Synchronous Redirect Domains**: Is not supported and will be ignored. Cloudflare looks at the `redirect_uri` provided in the signed apply template URL. - **Multiple Instance**: Is not supported and will be ignored. - **Warn Phishing**: Is not supported and will be ignored. - **Host Required**: Is not supported and will be ignored. @@ -109,7 +109,9 @@ For the full list, refer to the [Domain Connect Specification](https://github.co For the full list, refer to the [Domain Connect Specification](https://github.com/Domain-Connect/spec/blob/master/Domain%20Connect%20Spec%20Draft.adoc). Below are the details specific to Cloudflare. - +- **Essential**: Is not supported and will be ignored. +- **TXT Conflict Matching Mode**: Is not supported and will be ignored. +- **TXT Conflict Matching Prefix**: Is not supported and will be ignored. ## Template updates