cloudflare-dns-zoneslisted

# Cloudflare DNS Zones Operational skill for managing Cloudflare DNS through the REST API. Not for Terraform — see the Cloudflare provider docs if IaC is wanted. This skill focuses on the API directly (curl + jq), which is the source of truth every wrapper is built on. ## When to invoke **Symptoms:** - Need to add, update, or audit DNS records via script/CI rather than the dashboard. - A record was switched to proxied (orange cloud) and a non-HTTP service stopped working. - DNS-01 ACME challenges fail despite a token that "should have permission." - Bulk record migration into or out of Cloudflare (BIND zone file in hand). - DKIM, SPF, DMARC TXT records being authored and the long-string semantics matter. - DNSSEC handoff to the parent registrar. - The token in use is the deprecated Global API Key. ## Cross-cutting rules 1. **Never use the Global API Key.** It's account-wide and can't be scoped. Use API Tokens (Profile → API Tokens). Every example below uses `Authorization: Bearer $CF_API_TOKEN`. 2. **Scope tokens to the minimum.** A token for DNS work needs `Zone:Read` + `Zone:DNS:Edit` on the specific zones it operates. Not "All Zones" unless the workload genuinely touches all zones. 3. **Discover zone IDs at runtime.** Hard-coding zone IDs in scripts is brittle — they change when zones are recreated. Look them up by name on each run. 4. **Idempotent operations require list-then-act.** There is no "upsert by name+type" endpoint. Always `GET` filtered by `name` and `typ