[dns-operations] Apex ALIASES that re NOT flattened CNAMEs

Mark E. Jeftovic markjr at easydns.com
Tue Oct 22 23:16:48 UTC 2024 

For a few weeks I was trying to get a custom domain working with 
Substack, which does allow it, usually they specify to use the "www." 
domain level for the CNAME to point at *target.substack-custom-domains.com*

But some people want to to this at the domain apex, and the Substack 
docs state that /some /providers support zone apex aliasing.

Which is true.

But most providers do it via CNAME flattening, so at the end of the 
process, they aren't really CNAMEs, they're A recs.

But this will not work for Substack custom domains - and after going 
back and forth with their support, who took it up with some ops, it 
turns out that custom domains /at the apex/ on Substack will /only work/ 
when the query returns, literally, a CNAME when queried.

The example they gave me to replicate was: *theamazingnewsletterofjosh.com*

which if you do

$ dig theamazingnewsletterofjosh.com @dns1.registrar-servers.com

gives you

;; ANSWER SECTION:

theamazingnewsletterofjosh.com. 60 IN   CNAME 
target.substack-custom-domains.com.


Even though if you also do this:

$ dig -t ns theamazingnewsletterofjosh.com @dns1.registrar-servers.com

you'll get

;; ANSWER SECTION:
theamazingnewsletterofjosh.com. 1800 IN NS dns1.registrar-servers.com.
theamazingnewsletterofjosh.com. 1800 IN NS dns2.registrar-servers.com.

Which would seem to be non-compliant (CNAME and other data)

but if you do this

$ dig -t soa theamazingnewsletterofjosh.com @dns1.registrar-servers.com

you get

;; ANSWER SECTION:
theamazingnewsletterofjosh.com. 60 IN   CNAME 
target.substack-custom-domains.com.

Which is also weird

So apparently, Namecheap (which I believe uses UltraDNS on the backend) 
and apparently Cloudflare handle this apex aliasing, with a literal 
alias, but if you simply flatten the apex alias, for some reason, it 
will not work as a Substack custom domain.

I thought maybe the powerdns ALIAS pseudo type might facilitate this,

https://doc.powerdns.com/authoritative/guides/alias.html

but after setting up a test case, it looks like it too, implements this 
by flattening it out to A records.

Am I to assume this is some customized DNS response then?

Is it even standards compliant to be handing out a CNAME response for 
the same zone that has NS records? (I would say no, but it seems to be a 
thing?)

- mark

-- 
Mark E. Jeftovic <markjr at easydns.com>
Co-founder & CEO easyDNS Technologies Inc.
+1-(416)-535-8672 ext 225

/"Never expect a thing you do not want,
and never desire a thing you do not expect."
-- Bob Proctor /
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241022/b4f03978/attachment.html>

More information about the dns-operations mailing list