Nelson's log

CNAMEs at a DNS root

It’s common wisdom that you can’t use a CNAME at the root of your domain. can be a CNAME pointing to something, but can’t. That makes hosting websites on naked domains awkward. Only confusingly you actually can do this, it’s just a bad idea. And some DNS services make it look like you’re doing it in a good way, but really they’re faking it. It’s all pretty confusing but I think I understand what’s going on in detail. This post was motivated by this Hacker News thread.

A reading from the holy text, RFC 1034

A CNAME RR identifies its owner name as an alias, and specifies the corresponding canonical name in the RDATA section of the RR. If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types.

So if you make a CNAME, you can’t put any other DNS records on it. AFAIK you can actually do this and it will work as well as a CNAME will. The problem is you often want other DNS entries at the apex domain. You want an MX entry so you can redirect mail at You want a TXT entry to verify you own the domain name to various services. You might want special funky records for DNSSEC or other stuff. It really doesn’t work to make your apex domain an alias for some other domain.

Confusingly, a lot of the big DNS providers do let you set up a CNAME at the apex domain. But behind the scenes they aren’t really serving it as a CNAME; it’s more of a synthetic alias implemented by their DNS server. Typically it looks up the destination host address and quickly substitutes that IP in with an A record for your apex domain. That breaks the end-to-end principle of the DNS lookups, which causes problems for geographic load balancing, fast cache expiry, and probably DNSSEC. But it’s not a terrible solution.

Here’s a list of some of the DNS vendors’ aliasing technology

Long story short, if you want to serve a website from an apex domain it requires compromises and/or protocol fiddling.

Looking at all this I wonder if the world would be well served with a special DNS entry just for web servers. It’s weird to put something application specific in DNS, but there’s a strong precedent in MX entries, for mail delivery. Probably a bad idea to extend that to the web, but maybe it’d all some useful tricks?