Switch existing Account from powerdns to cloudflare - inconsistent behavior?

  • What version of apnscp are you running?
    cpcmd misc_cp_version
    revision: dc17cacc523c77f0ec582ddf21e3c292f0911e5c
    timestamp: 1745540622
    ver_maj: 3
    ver_min: 2
    ver_patch: 47
    ver_pre: ‘’
    dirty: false
    debug: false
  • Which version of RHEL or CentOS are you using?
    cat /etc/redhat-release
    AlmaLinux release 8.10
  • Can you reproduce this bug reliably? Provide steps. If not, provide steps to the best of your recollection.
    Yes.
  1. Have a site with powerdns dns provider enabled and rolled
  2. switch dns provider from powerdns to cloudflare and also fill dns key

Hello there,

unsure if this is a bug or wanted behavior. Maybe I missed something.

I have an existing account switched from powerdns provider to cloudflare including jumpstard which was more or less okay:

  • needed to add a lot of records manually which weren’t transfered with jumpstard (looks like sth like a ‘default’ template is created at cloudflare instead of all existing records at powerdns)
  • needed to modify all transfered TXT-Records where the content needs to be in quotation marks

After the change the cloudflare record management “inside” the account is fine but at Nexus level there’s still the powerdns-zone-management.

Would be great if there’s also the actual provider management at nexus level and also incredible helpful if it’s possible to directly migrate all existing records up to cloudflare.

Thank you for your time in advance!

Best regards

Here’s sample data from a PowerDNS site:

cpcmd -d futz.net dns:export futz.net

;; TXT Records
dkim2._domainkey.futz.net.      14400   IN TXT  v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRoi7dNiQhOGkDdHS4AmlZiz3hz1UWJZfNbaXIjp/gKUYIl9sEUG2+ehTJoJto+m37IjEM9i9oVqMbVwJmt4Dw7FSUuurTIBvoc3SUoUyyxzuWb+6quERKI8zwLA0VeJLDy8lQaKuZMuhyChainmT/sKT/NrqvRO7tjt+er8qRzc2odSOzU54hjvZKKrIRi8qZVOjE89CUBWmTRY/dt9q2NB0aELMJ5OSoe/oxnXegbaSdqnhrXpQi2KH3BdiItMU44G/cp7pyBJt31C2C+mTbW2pzqinfINUx8Qzk2L7FBN/3AZHNrJJtoij4u96cEa8pKFfu+qggFZYOQmhx87WwIDAQAB
futz.net.       14400   IN TXT  v=spf1 a mx ~all
_apnscp_uuid.futz.net.  14400   IN TXT  8047836965287962489235d6c2d4b-e2da-52c9-b5fc-0bf9c7a6d91c
_dmarc.futz.net.        14400   IN TXT  v=DMARC1; p=none

Change DNS provider to Cloudflare:

EditDomain  -c dns,provider=cloudflare -c dns,key=keyring:cloudflare -D futz.net

cpcmd -d futz.net dns:export futz.net
;; TXT Records
_apnscp_uuid.futz.net.  14400   IN TXT  8047836965287962489235d6c2d4b-e2da-52c9-b5fc-0bf9c7a6d91c
dkim2._domainkey.futz.net.      14400   IN TXT  v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRoi7dNiQhOGkDdHS4AmlZiz3hz1UWJZfNbaXIjp/gKUYIl9sEUG2+ehTJoJto+m37IjEM9i9oVqMbVwJmt4Dw7FSUuurTIBvoc3SUoUyyxzuWb+6quERKI8zwLA0VeJLDy8lQaKuZMuhyChainmT/sKT/NrqvRO7tjt+er8qRzc2odSOzU54hjvZKKrIRi8qZVOjE89CUBWmTRY/dt9q2NB0aELMJ5OSoe/oxnXegbaSdqnhrXpQi2KH3BdiItMU44G/cp7pyBJt31C2C+mTbW2pzqinfINUx8Qzk2L7FBN/3AZHNrJJtoij4u96cEa8pKFfu+qggFZYOQmhx87WwIDAQAB
_dmarc.futz.net.        14400   IN TXT  v=DMARC1; p=none
futz.net.       14400   IN TXT  v=spf1 a mx ~all

Key is contiguous in Cloudflare’s dashboard.

Jumpstart only fills the most common records. It depends on a scanner that enumerates only a sliver of the potential DNS space- 63 characters per label group, 63^37-2 characters x 15 resource record types ~ 5.64 x 10^67 potential records to scan for.

If a domain exists already upon changing DNS providers, these existing records are neither removed nor imported unless [dns] => migrate is enabled.

If [dns] => migrate is not enabled, then basic DNS records are created as if cpcmd -d DOMAIN dns:provisioning-records DOMAIN were called only if the domain does not exist.

If the domain exists and [dns] => migrate is disabled (default), then it’s necessary to reset DNS. This can be accomplished with cpcmd -d DOMAIN dns:reset DOMAIN to clean all existing records + import base records. It’s also available within the UI under DNS > DNS Manager > Toolbox > Reset DNS.

Quotation marks aren’t mandatory with Cloudflare. Historically it’s used to merge long DNS records, primarily TXT, in DNS backends such as BIND that observe RFC 1035 § 3.3 (see RFC 4408 § 3.1.3) at 255 octets. BIND also doesn’t support CNAME flattening on the apex, fun fact if it ever comes up in trivia.

The only situation where quotations would be necessary in Cloudflare is if they exist within a string boundary, e.g. foo IN TXT "abc"hello"def" but I don’t believe this is your specific concern?