RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com

113,228

Solution 1

As per RFC1912 section 2.4:

 A CNAME record is not allowed to coexist with any other data.  In
 other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
 can't also have an MX record for suzy.podunk.edu, or an A record, or
 even a TXT record.  Especially do not try to combine CNAMEs and NS 
 records like this!:

           podunk.xx.      IN      NS      ns1
                           IN      NS      ns2
                           IN      CNAME   mary
           mary            IN      A

The RFC makes perfect sense as the nameserver wouldn't know whether it needs to follow the CNAME or answer with the actual record the CNAME overlaps with. bar.com is a zone therefore it implicitly has an SOA record for the bar.com name. You can't have both a SOA record and a CNAME with the same name.

However, given that SOA records are generally used only for zone maintenance, these situations where you want to provide a CNAME at the zone's apex are quite common. Even though the RFC prohibits it, many engineers would like a behaviour such as: "follow the CNAME unless the query explicitly asks for the SOA record". That's why Route 53 provides alias records. These are a Route 53 specific feature which offer the exact functionality you require. Have a look at http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingAliasRRSets.html

Solution 2

Create an S3 Bucket called bar.com. (The name must be the same as the domain you want to redirect from in order for this to work!)
In the bar.com S3 Bucket go to Properties > Static Website Hosting, select Redirect all requests to another host name and enter foo.com in the text box.
Back in Route 53, in your Hosted Zone for bar.com, click Create Record Set. Select A - IPv4 address for type. Click Yes for Alias. Click the text box for Alias Target. bar.com should be listed under -- S3 Website Endpoints --. Save the record. Wait a few minutes and you should have a redirect setup to redirect requests from bar.com to foo.com.

You can use this same method to redirect a naked domain to a subdomain (like www). I use this in cases where www.foo.com has to be a CNAME so I redirect from foo.com to www.foo.com with this same method. If foo.com is an A record, you can use this technique to redirect from www.foo.com to foo.com.

NOTE: this method will forward with the full path. i.e. http://bar.com/test will forward to http://foo.com/test.

Solution 3

On Route53, You need to create an A record NOT a CNAME record, and create an alias under that.

From @ewalshe's comment on Alexandru Cucu's answer, if you came here trying to setup API Gateway with a custom domain name and have a Cloudfront distribution url.

Solution 4

Jonathan answer is correct. If you still confuse with his answer please take a look of this example.

Solution 5

tldr; You have to pass in an FQDN as the ResourceRecordSet name.

I had this same problem using this statement c# snip:

 private static void RegisterHostWithDns(IAmazonRoute53 ec2,SynoviaImage image)
        {
            var changeBatch = new ChangeBatch();
            var rRs = new ResourceRecordSet(image.Name, RRType.CNAME) {TTL=60,ResourceRecords = new List<ResourceRecord>() { new ResourceRecord(image.PublicDns)} };
            var change = new Change(ChangeAction.UPSERT, rRs);
            changeBatch.Changes.Add(change);
            var request = new ChangeResourceRecordSetsRequest(ConfigurationManager.AppSettings["DnsZoneId"], changeBatch);
            var response = ec2.ChangeResourceRecordSets(request);
            Console.WriteLine("Updated CNAME For {0} setting {1}",image.Name,image.PublicDns);
        }

In this case image.Name == "Listener"

Once I changed it to:

 private static void RegisterHostWithDns(IAmazonRoute53 ec2,SynoviaImage image)
        {
            var changeBatch = new ChangeBatch();
            var rRs = new ResourceRecordSet(string.Format("{0}.{1}",image.Name, "testing.foo.bar.com"), RRType.CNAME) {TTL=60,ResourceRecords = new List<ResourceRecord>() { new ResourceRecord(image.PublicDns)} };
            var change = new Change(ChangeAction.UPSERT, rRs);
            changeBatch.Changes.Add(change);
            var request = new ChangeResourceRecordSetsRequest(ConfigurationManager.AppSettings["DnsZoneId"], changeBatch);
            var response = ec2.ChangeResourceRecordSets(request);
            Console.WriteLine("Updated CNAME For {0} setting {1}",image.Name,image.PublicDns);
        }

now the value being passed in is: "Listener.fully.qualified.com"

It works now.

View more solutions

113,228

Author by

fredley

Incomplete project factory.

Updated on July 10, 2021

Comments

fredley almost 3 years
I own foo.com and bar.com. I am managing both in Route53. foo.com hosts my site, and I'd like to direct traffic from bar.com to foo.com. I tried to set up a CNAME record for bar.com pointing to foo.com, but I got the error message:
```
RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com.
```
Why doesn't this work, and what can I do instead?
ewalshe about 7 years

When creating a record in Route 53 so that a domain apex is directed to a classic ELB you create an alias to an A record rather than to a CNAME. The detailed instructions can be found here: docs.aws.amazon.com/elasticloadbalancing/latest/classic/…
Jonathan over 6 years

@ewalshe maybe make this an answer to give this more visibility?
bjm88 over 6 years

I've found my s3 bucket name is not loading when AWS Route 53 showing available ones to link. I read somewhere it may matter what AWS Console user you create this as and perhaps what region...
Ben A. Hilleli over 5 years

But aren't CNAMES supposed to mask other domains? i.e. foo.com to bar.com, but the user's browser would still show foo.com? What would I search for that functionality?
Sean over 5 years

foo.com/test works for me but accessing bar.com/test gives me an AccessDenied error. Anyone have suggestions? I wasn't able to change bucket policy on the shell bar.com account.
vhs about 5 years

DNAME is defined in RFC 2672. Could you explain how this relates to OP? Route53 does not allow SOA or NS record deletion, at least from the standard interface and DNAME isn't an available option.
eugene almost 4 years

I have a A record, and certificate renew failed and aws emailed me suggesting to create CNAME ... what to do?
eugene almost 4 years

my SSL certificate has expired and AWS emailed me to create CNAME for the hosts I have, but I already have A record, what to do now?
Ioan Alexandru Cucu almost 4 years

@eugene I assume you're referring to AWS' DNS based domain ownership verification: docs.aws.amazon.com/acm/latest/userguide/… If that's the case, then Amazon asks you to add a CNAME for a SUBDOMAIN of the domain you claim to own. The first label in the CNAME they ask you to create is randomly generated, so there shouldn't be an issue with it overlapping with any other record.
Elijah Lynn over 3 years

Note that the Route 53 CNAME (ALIAS) feature is not yet available in GovCloud. The options don't exist yet and you get an error of: RRSet of type CNAME with DNS name example.com. is not permitted as it conflicts with other records with the same DNS name in zone example.com.]
Evan Erickson about 3 years

@bjm88 - Your problem is probably the same as mine. You have to create a new bucket with literally "example.com" as the name! My bucket was dev-portfolio and I had to recreate a new bucket and name it myName.com and then it worked.
surga almost 3 years

There is no DNAME in route53