Cloudflare Docs
DNS
DNS
Visit DNS on GitHub
Set theme to dark (⇧+D)

Set up a child domain

When using a subdomain setup, the steps to create a child domain depend on the parent domain’s setup and whether the child domain already exists.


​​ Available setups

Parent zoneChild zoneAvailable
Full or SecondaryFullYes
Full or SecondarySecondaryYes
Full or SecondaryPartialNo
PartialFullYes
PartialSecondaryYes
PartialPartialYes

​​ Parent domain on full setup

If the parent domain is using a full setup1, your child domain setup depends on whether the child domain already exists.

​​ Subdomain does not exist in the parent domain

If you have not yet created a DNS record covering your child domain in the parent domain:

  1. Add the child domain to the parent domain’s Cloudflare account or another account.

  2. Get the nameserver names for the child domain. These will not be the same nameservers as the parent domain.

  3. Within the DNS > Records of the parent zone, add two NS records in the parent zone for the subdomain you want to delegate.

    For example, if you delegated www.example.com, you might add the following records to example.com:

    TypeNameContent
    NSwwwjohn.ns.cloudflare.com
    NSwwwmelinda.ns.cloudflare.com
  4. After a few minutes, the child domain will be active.

  5. Create the various DNS records needed for your child domain.

  6. (Optional) Enable DNSSEC on the child domain.

​​ Subdomain already exists in the parent domain

If you have already created a DNS record covering your child domain in the parent domain:

  1. Add the child domain to the parent domain’s Cloudflare account or another account.

  2. In your child domain, re-create all DNS records that relate to your child domain. This includes all DNS records deeper than the delegated subdomain, meaning that if you are delegating www.example.com, you should also move over records for api.www.example.com.

  3. In the parent domain, make sure that you migrate over any settings (Firewall rules, Rules, Workers, and more) that might be needed for the child domain.

  4. In the child domain, order an advanced SSL certificate that covers the child subdomain and any deeper subdomains (if present).

  5. Get the nameserver names for the child domain. These will not be the same nameservers as the parent domain.

  6. Within the DNS > Records of the parent zone, delete all non-address records (meaning everything except for A, AAAA, and CNAME records).

  7. Within the DNS > Records of the parent zone, leave one address record and delete the rest.

  8. Using the Cloudflare API, send a PATCH request to change the type of the last address record to NS and its content to one of the child domain’s nameserver names.

  9. Within the DNS > Records of the parent zone, create the second NS record in the parent zone for the subdomain you want to delegate.

    For example, if you delegated www.example.com, you might add the following records to example.com:

    TypeNameContent
    NSwwwjohn.ns.cloudflare.com
  10. Flush the address records of your child domain in public resolvers ( 1.1.1.1 and 8.8.8.8).

  11. Within a short period of time, the child domain should be active.

  12. (Optional) Enable DNSSEC on the child domain.


​​ Parent domain on partial setup

If the parent domain is using a partial setup2, your child domain setup depends on whether the child domain already exists.

​​ Subdomain does not exist in the parent domain

If you have not yet created a DNS record covering your child domain in the parent domain:

  1. Add the child domain in the same or a new account.
  2. Convert the child zone to a partial setup.
  3. Create the various DNS records needed for your child domain.
  4. Add the TXT verification record at your authoritative DNS provider.
  5. Within a short period of time, the child domain should be active.
  6. Add a CNAME record at your authoritative DNS provider.

​​ Subdomain already exists in the parent domain

If you have already created a DNS record covering your child domain in the parent domain:

  1. Add the child domain in the same or a new account.

  2. Convert the child zone to a partial setup.

  3. In your child domain, re-create all DNS records that relate to your child domain. This includes all DNS records deeper than the delegated subdomain, meaning that if you are delegating www.example.com, you should also move over records for api.www.example.com.

  4. In the parent domain, make sure that you migrate over any settings (Firewall rules, Rules, Workers, and more) that might be needed for the child domain.

  5. In the child domain, order an advanced SSL certificate that covers the child subdomain and any deeper subdomains.

  6. Add the TXT verification record at your authoritative DNS provider.

  7. Within a short period of time, the child domain should be active.

  8. Within the DNS > Records of the parent zone, delete any A, AAAA, or CNAME records referencing the child domain or any of its deeper subdomains.


  1. Meaning that Cloudflare is your Authoritative DNS provider. ↩︎

  2. Meaning that another DNS provider - not Cloudflare - maintains your Authoritative DNS. ↩︎