Why can't you have a CNAME at the root of a domain?

Why can't you have a CNAME at the root of a domain?

Have you ever wondered why your nameserver does not allow you to put a CNAME Record at the zone apex? Especially in cloud applications, where IPs can change unpredictably, having a CNAME at the root of the domain is quite convenient. Well, the reason is quite simple:

"A CNAME record is not allowed to coexist with any other data. In other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you can't also have an MX record for suzy.podunk.edu, or an A record, or even a TXT record." - RFC 1912 - Section 2,4

This is exactly why you can't have a CNAME Record at the zone root. The zone root must have two mandatory records: SOA and NS. Since a CNAME has to be the only record for a domain, you can't put a CNAME in the apex.

How to go around this

Some of you may have notices that some nameservers, such as CloudFlare and Amazon's Route 53, allow you to set a CNAME record at the zone apex.

They manage to get this to work by changing the CNAME record to an A Record on the fly, at the time it is requested. CloudFlare call this feature CNAME Flattening, but other nameservers do this as well and there's a wide variety of names in use.

To accomplish this, the authoritative DNS server act as a kind of DNS resolver if there's a CNAME at the root. Rather than returning that record directly it recurses through the CNAME chain until it finds the A Record. At that point, it returns the IP address associated with the A Record.