Zone Apex
The root of a DNS zone, also called the "naked domain" or "apex domain." For example.com, the zone apex is example.com itself (without any subdomain prefix). RFC 1034 prohibits CNAME records at the zone apex.
Full Explanation
The zone apex (also called the naked domain or bare domain) is the root of your DNS zone: example.com with no subdomain prefix. No www, no cdn, no app. Just the domain itself. This matters a lot when you are trying to put your site behind a CDN.
The DNS standard (RFC 1034) says you cannot place a CNAME record at the zone apex. Why? Because the zone apex must have SOA (Start of Authority) and NS (Name Server) records, and the CNAME spec says a CNAME must be the only record at a name. You cannot have both a CNAME and SOA/NS records at the same name. This creates a real problem for CDNs, because CDNs typically route traffic using CNAME records that point to their edge network (like cdn.example.net.cdn.cloudflare.net).
Several workarounds exist. ALIAS and ANAME are vendor-specific record types supported by providers like Route 53, Cloudflare, and DNSimple. They work like a CNAME but the DNS server resolves the target at query time and returns A/AAAA records instead. Cloudflare calls their approach "CNAME flattening." The other option is to use plain A/AAAA records pointing to the CDN's anycast IP addresses, but this means you lose automatic failover unless the CDN uses anycast (which most major CDNs do).
Examples
Here is the problem and the workarounds in DNS records:
; THIS DOES NOT WORK - CNAME at zone apex violates RFC 1034
example.com. IN SOA ns1.example.com. admin.example.com. (...)
example.com. IN NS ns1.example.com.
example.com. IN CNAME cdn.example.com.cdn.cloudflare.net. ; INVALID!
; WORKAROUND 1: ALIAS/ANAME record (Route53, Cloudflare, DNSimple)
; The DNS server resolves the CNAME target and returns A records
example.com. IN ALIAS cdn.example.com.cdn.cloudflare.net.
; Client sees: example.com. IN A 104.16.132.229
; WORKAROUND 2: A/AAAA records pointing to CDN anycast IPs
example.com. IN A 104.16.132.229
example.com. IN A 104.16.133.229
example.com. IN AAAA 2606:4700::6810:84e5
; Subdomains have no restriction - CNAME works fine
www.example.com. IN CNAME cdn.example.com.cdn.cloudflare.net.If you are using a DNS provider that does not support ALIAS/ANAME records, you will need to either use A records with the CDN's anycast IPs or move your DNS to a provider that supports apex CNAME workarounds.
Video Explanation
Frequently Asked Questions
The root of a DNS zone, also called the "naked domain" or "apex domain." For example.com, the zone apex is example.com itself (without any subdomain prefix). RFC 1034 prohibits CNAME records at the zone apex.
Here is the problem and the workarounds in DNS records:
; THIS DOES NOT WORK - CNAME at zone apex violates RFC 1034
example.com. IN SOA ns1.example.com. admin.example.com. (...)
example.com. IN NS ns1.example.com.
example.com. IN CNAME cdn.example.com.cdn.cloudflare.net. ; INVALID!
; WORKAROUND 1: ALIAS/ANAME record (Route53, Cloudflare, DNSimple)
; The DNS server resolves the CNAME target and returns A records
example.com. IN ALIAS cdn.example.com.cdn.cloudflare.net.
; Client sees: example.com. IN A 104.16.132.229
; WORKAROUND 2: A/AAAA records pointing to CDN anycast IPs
example.com. IN A 104.16.132.229
example.com. IN A 104.16.133.229
example.com. IN AAAA 2606:4700::6810:84e5
; Subdomains have no restriction - CNAME works fine
www.example.com. IN CNAME cdn.example.com.cdn.cloudflare.net.If you are using a DNS provider that does not support ALIAS/ANAME records, you will need to either use A records with the CDN's anycast IPs or move your DNS to a provider that supports apex CNAME workarounds.