DNS-as-a-service — Cloudflare primary, deSEC break-glass secondary

2026-06-13 · gf.cx portfolio · resilience

A single Cloudflare account holds all 14 zones plus Pages, Workers and R2. One abuse false-positive freezes every surface at once — and the DNS layer is the worst place to be frozen, because when nameservers stop answering, nothing resolves and there is no surface left to serve an apology from. This is the service that makes that survivable: Cloudflare stays primary; deSEC is a warm secondary kept current nightly; and a one-script lever flips the delegation off Cloudflare when you need it.

One service, two providers, a fail-over seam

The secondary is deliberately not in the delegation. It sits warm — synced, validated, ready — until you fire it. That is the “fire-when-ready” property: the standby does nothing in normal operation except stay current, so the day you need it, it is already correct.

The front door — gfcx_dns.py

One verb surface over the moving parts:

• status — where the delegation points (read-only) + standby freshness
• sync — export every CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF zone → BIND (git history) → refresh into deSEC
• check — health verdict → status.gf.cx card + a one-line Pushover sentence
• activate — ⚡ break-glass: precheck the standby is ready → DNSSEC reminder → hard guard (--apply --confirm FLIP) → flip NS off Cloudflare
• restore — roll the delegation back to Cloudflare

Nightly at 03:30 ET a launchd job runs sync then check, publishes the status.gf.cx card, and pushes the verdict sentence. The daily-hygiene rollup (07:30) reads the freshness stamp as one of its 24 checks. A standby nobody verifies is a standby you don’t have.

Why the lever works — registrar independence

This is the whole game, and it is worth stating plainly: the registrar holds the nameserver delegation independently of Cloudflare. A Cloudflare account suspension takes down CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF’s nameservers and CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF’s dashboard — but it cannot reach into the registrar and stop you pointing the domain somewhere else. The flip is executed against the registrar’s API, not Cloudflare’s, so it survives a total CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF blackout.

• Namecheap holds the NS for gf.cx and xlabs.digital. The lever flips these today. It uses the stored Namecheap API key, so it needs neither email nor an interactive login to fire.

⚠ Warning — domains under Cloudflare Registrar are unchangeable in a break-glass moment

Eight domains are registered at Cloudflare Registrar (dansellars.com, audreyinc.com, audreylam.com, dogwoodhouse.org, brooklynbrit.com, dareusa.com, audan.co, dognscarf.com). In a CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF suspension, the registrar itself is frozen — their nameservers cannot be edited, by API or by hand. The lever cannot save them after the fact. Their only protection is to move to an independent registrar proactively, while everything is still healthy. You cannot buy this insurance during the fire.

The other dependency — the recovery channel

A failover lever is useless if you can’t reach the accounts that hold it. Two traps:

1. Email circular dependency. Recovery email routed through duck.com aliases forwards to gf.cx — whose mail (MX → Fastmail) depends on the exact gf.cx DNS a CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF suspension takes down. So at the moment you need to recover, the verification emails bounce. Fix: use dan@dare.co.uk (Google Workspace, independent of gf.cx) as the account email on the registrar, deSEC, and for the Cloudflare appeal thread.
2. But login itself survives. Password (1Password) and TOTP 2FA are both independent of gf.cx, so you can still log in and pull the lever with email down. The email residue shrinks to password-reset flows (which you won’t hit if 1P has the password) and the CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF appeal correspondence — narrow, and covered by the dan@dare.co.uk channel.

A real bug found and fixed

deSEC’s free tier soft-caps at one domain and checks that cap before it checks for duplicates — so POST /domains/ returns 403 domain-limit even for a domain that already exists. The original refresh path (“delete the domain, recreate it to re-import the records”) was therefore unreachable while capped, and the standby had been silently frozen at its 2026-06-11 import — a warm standby that had quietly stopped warming. The fix refreshes records in place via PUT /domains/{name}/rrsets/, which is cap-independent and has no delete window. Verified live on gf.cx: rrset-refresh 200 (79 rrsets), apex NS pinned to deSEC’s own nameservers, DNSSEC keys intact. Sync now genuinely mirrors CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF.

Forward — “domains-as-a-service” via Porkbun

The strategic move is to consolidate all domains at Porkbun, an independent registrar with a full REST API:

1. It gets the eight CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF-Registrar domains off Cloudflare, so every domain becomes break-glass-capable and managed under one API.
2. Porkbun’s API covers DNSSEC DS-record management — which Namecheap’s does not. That closes the one manual step left in the runbook: today you must log into Namecheap by hand to delete the DS record (go “insecure”) before the NS flip, or validating resolvers SERVFAIL the whole domain. With Porkbun the entire sequence — remove DS, then flip NS — collapses into a single programmatic lever. (Verify the current Porkbun DNSSEC-DS endpoints before depending on it; that is the load-bearing capability.)

Transfer feasibility

• The gTLDs transfer cleanly: .com, .org, .co, .digital are all standard TLDs Porkbun accepts. That covers the eight CDN, security layer, and DNS provider sitting in front of dare.co.uk." data-tip="Cloudflare — the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF domains and xlabs.digital.
• .cx is the one to verify: gf.cx is on the Christmas Island ccTLD, and Porkbun’s ccTLD coverage is selective. If unsupported, gf.cx stays at Namecheap — which is fine, since Namecheap is already the independent registrar the lever uses; it simply wouldn’t consolidate.
• Move proactively: a transfer-out needs the losing registrar (Cloudflare) functional to unlock the domain and release the EPP auth code. You cannot transfer out of an already-suspended account — the very scenario being insured against. Do it while healthy.
• Mind the 60-day locks: any domain registered, transferred, or with an owner change in the last 60 days is ICANN-locked from transfer. A renewal does not trigger this (gf.cx’s recent renewal is fine).

Status & open actions

The service is live and wired (front door, nightly sync, health check, hygiene, status card). Current verdict is YELLOW — honest, because deSEC’s free tier holds only gf.cx so far: “standby fresh — gf.cx refreshed, NS-flip ready; 1/14 zones loaded (cap-limited).”

1. Email support@desec.io to raise the domain cap → load the remaining zones.
2. Move the registrar to Porkbun (verify .cx first); set dan@dare.co.uk as the account email.
3. Re-target the break-glass lever at the Porkbun API once moved — and fold the DNSSEC go-insecure step into it.