cloudflare · ngayerie · May 13, 2026 · May 13, 2026
diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx
@@ -335,6 +335,46 @@ Service Binding (SVCB) and HTTPS Service (HTTPS) records allow you to provide a
 
 If your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/), [proxied DNS records](/dns/proxy-status/), and is also using [Universal SSL](/ssl/edge-certificates/universal-ssl/), Cloudflare automatically generates HTTPS records on the fly, to advertise to clients how they should connect to your server.
 
+:::note[Proxied vs DNS-only hostnames]
+For [proxied (orange cloud)](/dns/proxy-status/) hostnames, Cloudflare synthesizes HTTPS records automatically when Universal SSL is enabled. Manually-added HTTPS records on proxied hostnames are not served — Cloudflare uses the auto-generated records instead.
+
+If you have disabled Universal SSL (for example, because you use [Advanced Certificates](/ssl/edge-certificates/advanced-certificate-manager/) exclusively), Cloudflare will not generate HTTPS records for proxied hostnames.
+
+For [DNS-only (grey cloud)](/dns/proxy-status/) hostnames, you can manually add HTTPS records and Cloudflare will serve them. However, **all records on the same label must be DNS-only** for the manual HTTPS record to be served.
+:::
+
+<Details header="Example: Manual HTTPS records and proxy status">
+
+A label refers to all DNS records in a zone that share the same name. For Cloudflare to serve a manually-added HTTPS record, every record on that label must be DNS-only (grey cloud).
+
+<Example>
+
+**Will work** — All records on the label are DNS-only:
+
+| Type  | Name        | Content         | Proxy status |
+| ----- | ----------- | --------------- | ------------ |
+| A     | example.com | `192.0.2.1`     | DNS only     |
+| HTTPS | example.com | `1 . alpn="h3"` | -            |
+
+The HTTPS record will be served because the A record is DNS-only.
+
+</Example>
+
+<Example>
+
+**Will not work** — Mixed proxy status on the same label:
+
+| Type  | Name        | Content         | Proxy status |
+| ----- | ----------- | --------------- | ------------ |
+| AAAA  | example.com | `2001:db8::1`   | Proxied      |
+| HTTPS | example.com | `1 . alpn="h3"` | -            |
+
+The HTTPS record will **not** be served because the AAAA record on the same label is proxied.
+
+</Example>
+
+</Details>
+
 For more details and context, refer to the [announcement blog post](https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns/) and [RFC 9460](https://www.rfc-editor.org/rfc/rfc9460.html).
 
 <Render file="api-field-definitions" product="dns" />

@@ -45,8 +45,10 @@ To support non-SNI requests, you can:
 
 If your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/), [proxied DNS records](/dns/proxy-status/), and is also using [Universal SSL](/ssl/edge-certificates/universal-ssl/), Cloudflare automatically generates HTTPS records on the fly, to advertise to clients how they should connect to your server.
 
-:::caution
-Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling Universal SSL, for example, could impact this behavior.
+:::caution[Universal SSL required for automatic HTTPS records]
+Disabling Universal SSL will prevent automatic HTTPS record generation for proxied hostnames, even if you have [Advanced Certificates](/ssl/edge-certificates/advanced-certificate-manager/) or [custom certificates](/ssl/edge-certificates/custom-certificates/) configured. This is because automatic HTTPS record generation is tied specifically to the Universal SSL feature.
+
+If you need HTTPS records without Universal SSL, you can manually add them, but only if **all records on the same label are DNS-only (grey cloud)**. Refer to [SVCB and HTTPS records](/dns/manage-dns-records/reference/dns-record-types/#svcb-and-https) for details and examples.
 :::
 
 ## OCSP and HTTP versions