Learn how Enterprise customers add subdomains to their Cloudflare account via the Subdomain Support feature.
Overview
Cloudflare Subdomain Support simplifies management of Cloudflare performance and security for subdomains and provides several additional benefits. Subdomain Support is available for multiple subdomain levels such as www.example.com, dev.www.example.com, etc.
Terminology
This guide uses the following terms:
- Root domain: A domain purchased from a domain registrar (example.com).
- Child subdomain: A level of subdomain below the root domain (foo.example.com, dev.foo.example.com, or www.dev.foo.example.com).
- Parent domain: The domain or subdomain level directly above the child subdomain (example.com is a parent of foo.example.com and foo.example.com is a parent of dev.foo.example.com).
Benefits
Subdomain Support provides several benefits:
- Subdomain Support allows designated teams within your organization to control Cloudflare settings for a specific subdomain, while your central IT team maintains control of your root or parent domain.
- For example, a central IT team for example.com assigns child subdomains such as api.example.com to other teams while maintaining control of the parent domain’s DNS (example.com).
- api.example.com requires different Cloudflare settings than blog.example.com.
Requirements
Subdomain Support has several noteworthy requirements:
- When the parent domain is active on Cloudflare, migrating a child subdomain from one Cloudflare account to another first requires moving the child subdomain back into the parent domain.
- The parent domain’s SSL certificate displays to visitors of the child subdomain if the parent’s certificate explicitly lists the child subdomain and is created after the child’s SSL certificate was created.
- Example: foo.example.com is a child of example.com. Both domains are on Cloudflare. If example.com has a certificate with foo.example.com explicitly listed as a hostname, the example.com Dedicated certificate is served to visitors of foo.example.com.
- If the parent and child subdomain are both on Cloudflare, match the subdomain setup type (Full or CNAME) to the parent setup type.
- Cloudflare Edge Side Code (ESC) for a parent domain does not automatically apply to child subdomains and requires changes to the ESC.
Add DNSSEC to subdomains
Follow the steps below to enable DNSSEC on both a parent domain and child subdomain.
- Add the child subdomain to your Cloudflare account and note the Cloudflare nameservers provided. Cloudflare nameservers are listed within the Cloudflare DNS app under Cloudflare Nameservers.
- Create two NS records, one for each Cloudflare nameserver, within the Cloudflare DNS app for the parent domain. Ensure the Name of the NS records is the same as the hostname of the child subdomain.
- Validate DNS resolution of the child subdomain.
- Enable DNSSEC for the child subdomain and save the information provided within the DS Record output.
- Add the DS Record from the previous step to the parent domain. (show steps to add DS record)
- Add an A record to the child subdomain to validate DNS resolution.
- Wait 2 to 6 hours. Then, test the A record added in the previous step using multiple DNS resolvers with DNSSEC validation (1.1.1.1, 8.8.8.8, and 9.9.9.9). For example, if the A record is for test.child.example.com:
dig
test.child.example.com
+dnssec @
1.1.1.1
Add child subdomains to Cloudflare
Add child subdomains on either a Full (default) or CNAME setup. Ideally, the setup used for the child domain should mimic the setup for the parent domain.
Parent domain setup |
Recommended child subdomain setup |
Plan type |
Parent domain on Cloudflare via a Full setup |
Full setup only |
Free, Pro, Business or Enterprise plan |
Parent domain on Cloudflare via a CNAME setup |
CNAME setup only |
Business or Enterprise plan |
The parent domain is not on Cloudflare |
Can choose Full or CNAME setup |
Business or Enterprise plan required for CNAME setup |
Refer to Understanding a CNAME Setup for information about adding child subdomains.
Add a child subdomain to the Full setup zone. If your parent domain is on a Full setup, add the NS records to the parent domain’s Cloudflare DNS app.
Once you have finished, ensure Cloudflare configurations for the subdomain are moved from the parent domain to the child subdomain.
Best practices for adding child subdomains
The parent domain loses configuration control over the subdomain once the child subdomain is added to Cloudflare. For instance, example.com’s Page Rule for shop.example.com will no longer work when the shop.example.com child subdomain is added to Cloudflare. Move Page Rule configuration from the parent domain to the child subdomain before activating the child subdomain with TXT records or setting NS records.
This concept applies to any Cloudflare feature configured for the child subdomain such as Rate Limiting, DNS, and Firewall Rules.
Migrate a subdomain to a new Cloudflare account
To move a subdomain on a Full setup from one Cloudflare account to another:
- Add the subdomain to the new Cloudflare account.
- Create the subdomain's CNAME or A record within the new Cloudflare account.
- Update the NS records for the subdomain to refer to the new nameservers corresponding to the new Cloudflare account.
- Delete the subdomain's CNAME or A record within the old Cloudflare account