From 4a30102adaa05bbc0f2c78c39c2db738a5560ae2 Mon Sep 17 00:00:00 2001
From: smittal123 <smittal@cloudflare.com>
Date: Tue, 5 May 2026 12:29:32 -0700
Subject: [PATCH 1/6] Update enforce-dns-only.mdx

Updating enforce dns only devdocs for different zone types.
---
 .../docs/dns/proxy-status/enforce-dns-only.mdx       | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
index 3e91d7d0470a39a..6d9ad6a94040d99 100644
--- a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
+++ b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -29,6 +29,18 @@ Enabling this setting exposes your origin IP addresses and removes all Cloudflar
 Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-only and back may not be instantaneous. Since all proxied records have a TTL of **Auto**, this value (five minutes by default) determines how long resolvers may continue to serve Cloudflare's anycast IPs or your origin IP addresses.
 :::
 
+## Zone types
+
+Enforce DNS-only works across all zone setup types:
+
+- [Full setup](/dns/zone-setups/full-setup/): All proxied records in the zone are affected.
+- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): All proxied records in the zone are affected.
+- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected. Records transferred from the primary with their original proxy status are not affected since they are already DNS-only.
+
+:::note
+For secondary zones with overrides enabled, the enforce DNS-only setting will grey-cloud any record you have manually proxied. The proxy status override persists until the record is deleted on the primary and transferred again — changes to content or TTL on the primary do not reset the override.
+:::
+
 ## Preparation
 
 Before relying on enforce DNS-only as part of your incident response plan, you should:

From 1f56cfa4acbe9be7b434433cb77125d7648c97dc Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com>
Date: Wed, 6 May 2026 16:20:09 +0100
Subject: [PATCH 2/6] Apply suggestions from Hannes' review

Co-authored-by: Hannes <105781579+hannes-cf@users.noreply.github.com>
---
 src/content/docs/dns/proxy-status/enforce-dns-only.mdx | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
index 6d9ad6a94040d99..958309cd40f1c33 100644
--- a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
+++ b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -33,12 +33,12 @@ Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-o
 
 Enforce DNS-only works across all zone setup types:
 
-- [Full setup](/dns/zone-setups/full-setup/): All proxied records in the zone are affected.
-- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): All proxied records in the zone are affected.
-- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected. Records transferred from the primary with their original proxy status are not affected since they are already DNS-only.
+- [Full setup](/dns/zone-setups/full-setup/): All proxied records in the zone are affected (see [exceptions](/dns/proxy-status/enforce-dns-only/#excluded)).
+- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): All proxied records in the zone are affected (see [exceptions](/dns/proxy-status/enforce-dns-only/#excluded)).
+- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected.
 
 :::note
-For secondary zones with overrides enabled, the enforce DNS-only setting will grey-cloud any record you have manually proxied. The proxy status override persists until the record is deleted on the primary and transferred again — changes to content or TTL on the primary do not reset the override.
+For secondary zones with overrides enabled, the enforce DNS-only setting will disable the proxy status on any record you have manually proxied. The proxy status override persists until the record is deleted on the primary even if it gets transferred again — changes to content or TTL on the primary do not affect the proxy status.
 :::
 
 ## Preparation

From d300a7d9f9f062acaa6a22cc25d9d6beadc5fb22 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 6 May 2026 16:34:23 +0100
Subject: [PATCH 3/6] Remove 'all' to clarify descriptions for full and partial
 setup

---
 src/content/docs/dns/proxy-status/enforce-dns-only.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
index 958309cd40f1c33..b14748ada683c83 100644
--- a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
+++ b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -33,8 +33,8 @@ Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-o
 
 Enforce DNS-only works across all zone setup types:
 
-- [Full setup](/dns/zone-setups/full-setup/): All proxied records in the zone are affected (see [exceptions](/dns/proxy-status/enforce-dns-only/#excluded)).
-- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): All proxied records in the zone are affected (see [exceptions](/dns/proxy-status/enforce-dns-only/#excluded)).
+- [Full setup](/dns/zone-setups/full-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
+- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
 - [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected.
 
 :::note

From bd5001f9e54044871b4e3fb5e53e423e9fa12431 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Thu, 7 May 2026 08:32:07 +0100
Subject: [PATCH 4/6] Clarify note under secondary zones description

---
 .../docs/dns/proxy-status/enforce-dns-only.mdx       | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
index b14748ada683c83..609813cea4433df 100644
--- a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
+++ b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -37,9 +37,9 @@ Enforce DNS-only works across all zone setup types:
 - [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
 - [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected.
 
-:::note
-For secondary zones with overrides enabled, the enforce DNS-only setting will disable the proxy status on any record you have manually proxied. The proxy status override persists until the record is deleted on the primary even if it gets transferred again — changes to content or TTL on the primary do not affect the proxy status.
-:::
+  :::note[Zone transfers interaction]
+  While enforce DNS-only is active, zone transfers from the primary (including content or TTL changes) do not change the proxy status of affected records. When you [disable enforce DNS-only](#disable-enforce-dns-only), the records return to proxied.
+  :::
 
 ## Preparation
 
@@ -102,9 +102,9 @@ Enforce DNS-only does not affect the following records:
 - [Tunnel](/tunnel/): CNAME records pointing to a tunnel subdomain. Refer to [Tunnel routing](/tunnel/routing/#create-a-dns-record) or [Cloudflare One](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) for details.
 - [Web3 gateways](/web3/): Read-only proxied records managed by the [Web3 gateway configuration](/web3/reference/gateway-dns-records/).
 - [Workers](/workers/) custom domains: Read-only proxied records added to the DNS records table when you set up Workers [custom domains](/workers/configuration/routing/custom-domains/).
-   :::note[Custom domain or route match]
-	 Proxied records that match a Worker [route](/workers/configuration/routing/routes/) are regular DNS records and will be [affected](#included) by the enforce DNS-only setting.
-   :::
+  :::note[Custom domain or route match]
+  Proxied records that match a Worker [route](/workers/configuration/routing/routes/) are regular DNS records and will be [affected](#included) by the enforce DNS-only setting.
+  :::
 
 ## Check current status
 

From 7e64d96b185c7130bff1f27d7a54ab78fa99f7ac Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Thu, 7 May 2026 08:43:06 +0100
Subject: [PATCH 5/6] Add similar note to cf-as-secondary/proxy-traffic

---
 .../cloudflare-as-secondary/proxy-traffic.mdx               | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic.mdx
index bdc830de1adc1ed..a21202b1749130a 100644
--- a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic.mdx
+++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic.mdx
@@ -65,6 +65,10 @@ Before you set up Secondary DNS override, make sure that you have:
 
 </TabItem> </Tabs>
 
+:::note[Zone transfers interaction]
+Zone transfers from the primary (including content or TTL changes) do not change the proxy status of records you set to proxied. The override persists until the record is deleted on the primary.
+:::
+
 ## Proxied A and AAAA records
 
 After proxying (orange clouding) a Secondary DNS record, any additional records under that hostname transferred from the primary DNS provider are automatically proxied. This applies to all A and AAAA records under that domain.
@@ -77,4 +81,4 @@ Once you create a CNAME record at the apex, existing A or AAAA records on the zo
 
 ## Verify that your records are proxied
 
-Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns. Records proxied by Cloudflare return [Cloudflare IPs](https://www.cloudflare.com/ips/).
+Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns. Records proxied by Cloudflare return [Cloudflare IPs](https://www.cloudflare.com/ips/).
\ No newline at end of file

From b98573a531c170fdb6c162bb2fc9e5b52e6607ec Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Thu, 7 May 2026 08:50:17 +0100
Subject: [PATCH 6/6] Mention A/AAAA recods on the same name in
 enforce-dns-only

---
 src/content/docs/dns/proxy-status/enforce-dns-only.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
index 609813cea4433df..a2eaaba8f8a5f59 100644
--- a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
+++ b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -35,7 +35,7 @@ Enforce DNS-only works across all zone setup types:
 
 - [Full setup](/dns/zone-setups/full-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
 - [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
-- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected.
+- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If Secondary DNS Overrides is enabled and you have manually set a record's proxy status to proxied, that record will be affected. This also applies to any other `A` or `AAAA` records on the same name. Refer to [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) for details.
 
   :::note[Zone transfers interaction]
   While enforce DNS-only is active, zone transfers from the primary (including content or TTL changes) do not change the proxy status of affected records. When you [disable enforce DNS-only](#disable-enforce-dns-only), the records return to proxied.