Update enforce-dns-only.mdx

src/content/docs/dns/proxy-status/enforce-dns-only.mdx

@@ -29,6 +29,18 @@ Enabling this setting exposes your origin IP addresses and removes all Cloudflar
 Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-only and back may not be instantaneous. Since all proxied records have a TTL of **Auto**, this value (five minutes by default) determines how long resolvers may continue to serve Cloudflare's anycast IPs or your origin IP addresses.
 :::
 
+## Zone types
+
+Enforce DNS-only works across all zone setup types:
+
+- [Full setup](/dns/zone-setups/full-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
+- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): Proxied records in the zone are generally affected, considering a few [exceptions](/dns/proxy-status/enforce-dns-only/#excluded).
+- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If Secondary DNS Overrides is enabled and you have manually set a record's proxy status to proxied, that record will be affected. This also applies to any other `A` or `AAAA` records on the same name. Refer to [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) for details.
+
+  :::note[Zone transfers interaction]
+  While enforce DNS-only is active, zone transfers from the primary (including content or TTL changes) do not change the proxy status of affected records. When you [disable enforce DNS-only](#disable-enforce-dns-only), the records return to proxied.
+  :::
+
 ## Preparation
 
 Before relying on enforce DNS-only as part of your incident response plan, you should:
@@ -90,9 +102,9 @@ Enforce DNS-only does not affect the following records:
 - [Tunnel](/tunnel/): CNAME records pointing to a tunnel subdomain. Refer to [Tunnel routing](/tunnel/routing/#create-a-dns-record) or [Cloudflare One](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) for details.
 - [Web3 gateways](/web3/): Read-only proxied records managed by the [Web3 gateway configuration](/web3/reference/gateway-dns-records/).
 - [Workers](/workers/) custom domains: Read-only proxied records added to the DNS records table when you set up Workers [custom domains](/workers/configuration/routing/custom-domains/).
-   :::note[Custom domain or route match]
-	 Proxied records that match a Worker [route](/workers/configuration/routing/routes/) are regular DNS records and will be [affected](#included) by the enforce DNS-only setting.
-   :::
+  :::note[Custom domain or route match]
+  Proxied records that match a Worker [route](/workers/configuration/routing/routes/) are regular DNS records and will be [affected](#included) by the enforce DNS-only setting.
+  :::
 
 ## Check current status
 

src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic.mdx

@@ -65,6 +65,10 @@ Before you set up Secondary DNS override, make sure that you have:
 
 </TabItem> </Tabs>
 
+:::note[Zone transfers interaction]
+Zone transfers from the primary (including content or TTL changes) do not change the proxy status of records you set to proxied. The override persists until the record is deleted on the primary.
+:::
+
 ## Proxied A and AAAA records
 
 After proxying (orange clouding) a Secondary DNS record, any additional records under that hostname transferred from the primary DNS provider are automatically proxied. This applies to all A and AAAA records under that domain.
@@ -77,4 +81,4 @@ Once you create a CNAME record at the apex, existing A or AAAA records on the zo
 
 ## Verify that your records are proxied
 
-Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns. Records proxied by Cloudflare return [Cloudflare IPs](https://www.cloudflare.com/ips/).
+Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns. Records proxied by Cloudflare return [Cloudflare IPs](https://www.cloudflare.com/ips/).