CNAME record not allowed at zone apex

What’s actually happening

You're trying to point example.com (not www.example.com) at something like a load balancer or CDN hostname, and the DNS provider rejects the CNAME. The rule comes from RFC 1034: a CNAME means 'this name is nothing but an alias,' but the apex must also carry SOA and NS records. Those can't share a name with a CNAME, so the provider refuses it. Subdomains have no SOA/NS, which is why www works but the bare domain doesn't.

Common causes

• A service gave you a hostname (not an IP) to point the apex at, and you reached for CNAME
• Apex already holds the required SOA and NS records, which a CNAME can't coexist with
• DNS provider doesn't offer ALIAS/ANAME or CNAME flattening
• Copied a subdomain's CNAME setup onto the root domain expecting it to work the same

How to fix it

1. Use ALIAS / ANAME if your provider has itCloudflare (CNAME flattening), Route 53 (Alias), DNSimple/NS1 (ALIAS) resolve the target to A/AAAA behind the scenes and serve those at the apex while staying RFC-compliant. This is the right answer when the target's IP can change.
2. Point the apex at A/AAAA records insteadIf the service publishes stable IPs, set A (and AAAA) records on the apex directly. Only do this when the provider guarantees the addresses won't rotate, or you'll break when they do.
3. Move the service to a subdomain and redirect the apexPut the CNAME on www.example.com (legal there), then redirect example.com to www via your host, an HTTP 301, or a provider redirect rule. Common pattern when no ALIAS support exists.
4. Switch to a provider that flattensIf you're stuck on a host with no ALIAS/ANAME and the target only gives a hostname, move the zone to Cloudflare or Route 53. Flattening at the apex is a standard feature there.