« Back to home

Why it's a bad idea to put a CNAME record on your root domain

When I first setup this blog on AWS S3 I wanted to use my "naked domain" name. What that means is instead of visitors going to www.joshstrange.com I wanted them to be able to go to joshstrange.com. It just seemed cleaner to me and it was fairly easy to get up and running. To accomplish this I setup 2 CNAME records one on joshstrange.com and the other on www.joshstrange.com with each pointing to a different bucket, the "www" bucket was setup to redirect to joshstrange.com.

Everything was working just fine, or so I thought, and so I forgot all about it and moved on with my life. A few months later when this was but a distant memory I started having problems with my eTrade account. I was unable to receive any emails from them and so I was unable to add a new bank account to withdraw my money. I was getting all of their marketing emails just fine but the email confirmations for adding a new bank account just never showed up. I called into support and went through the "Did you check your spam folder" song and dance until the representative told me he could just do a wire transfer to get me the money and he would waive the fee this time. I thought this was strange but I got the money and once again I forgot all about it.

Fast-forward a couple more months and I had decided to pull all of my money out of eTrade and start using TradeKing
I quickly ran into the email issue again on eTrade and decided to try switching my email address from my Google Apps account to my old GMail account. I thought that surely this couldn't be affecting GMail or more people would be complaining and the problem would have been fixed. Sure enough as soon as I changed the email address it started working. Again, I got the money and promptly forgot about the whole ordeal writing it off as some problem on eTrade's end.

Then just this last weekend I went to signup for an eBay Developers account so I could play with the API but the email confirmation never came through. At this point I remembered that my actual eBay account was still using an old email address because even though I added my [email protected] email address I had never received the confirmation email. I finally decided to really look into this email issue and try to figure out what the cause was. After an hour of Googling every combination of "eBay not receiving email google apps" and switching out "eBay" for "eTrade" I stumbled across someone else having a similar problem and one of the suggestions was to take a look at their DNS records. I ignored it the first time I read it but then I saw it mentioned again and this time in combination with CNAME records.

Something clicked in my head and I started to vaguely remember reading something when first setting up my blog about how CNAME records don't belong on your root domain. When I had read that I had written it off as I did not fully understand what it was saying at the time. Now, armed with this revelation, I started searching for "CNAME and MX conflicts" and found countless people warning against it. This ServerFault question/answer sums it up nicely:

This is a common error. You cannot use a CNAME RR for your root domain (e.g. company.com) and define additional resource records for the same zone.

See Why can't I create a CNAME record for the root record? and RFC1034 section 3.6.2 for details:

If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different.

So my own stupidity had caused this issue but I still wasn't sure how to go about fixing the problem. My first step was to delete the CNAME DNS record in CloudFlare to make sure this was the cause. As soon as I could see the record was gone (Using dig joshstrange.com) I attempted to resend my eBay Developer activation email and it came through instantly. I have yet to test with eTrade as they don't allow you to withdraw money for 15 days after you change your email address and I still have some stock tied up there.

So now my email was working but trying to go to joshstrange.com was broken and going to www.joshstrange.com was redirecting to the naked domain. I started to look for solutions and was expecting to have to start using my domain with the "www" until I stumbled across this AWS Blog on how to do exactly what I was wanted. The only "problem" was I would have to use Route 53 instead of CloudFlare for it to work. For me this wasn't a hard decision, I already use AWS for a lot of stuff and it just made sense to have my domain's DNS hosted with them. For other's this may not be an option and you might want to check out wwwizer's naked domain redirect which lets you add an A record to your root pointing to 174.129.25.170 and any request to yourdomain.com will be re-routed to www.yourdomain.com (the opposite of what I was looking for).

Want to know if your site is using CNAME and MX records on your root domain? Test it out by entering your domain name in the widget below provided by MX Toolbox. MX Toolbox, if you didn't know is an awesome tool for checking your DNS records, I've used it extensively to troubleshoot issues and double check things and can't recommend it enough (Yes dig is great but I often want to "sanity-check" that what I see locally is what everyone else is seeing as well).