CNAME for 3rd-level subdomain


I tried to set a CNAME for one of my subdomains:

$ curl -X POST \
	--header "Authorization: Token MYTOKEN" \
	--header "Content-Type: application/json" \
	--data '{"subname":"","type":"CNAME","ttl":3600,"records":[""]}'

{"detail":"RRset IN CNAME: Conflicts with pre-existing RRset"}

I made sure there are no A or AAAA records, and I even deleted the autogenerated NS record. Still not possible to set CNAME. Setting the CNAME for a subdomain of my subdomain works fine.

Any ideas?

Hi mihi,

Welcome to deSEC :slight_smile:

Direct child domains of, such as, are independent zones. As such, they have their own SOA, DNSKEY and other metadata records (which we manage automatically), and as a consequence, it is not possible to use CNAME at the main level of your domain (the so-called zone apex). For a detailed explanation, take a look a this ISC post.

There is a workaround called ANAME or ALIAS, but it comes with complications as far as DNSSEC is concerned. We have done some brainstorming on how to support ALIAS.

I’m interested to know what is your use case though. Why would you not want to set your dynDNS IP records directly on

Stay secure,

Thanks for the reply.

I read about ALIAS in the documentation, but for me it was no option since as far as I know, for GitHub pages it is required to have CNAMEs.

My Use case: A GitHub user (or organization) can host one website with GitHub pages by using his subdomain. If they want to host more than one website (from different Git repositories) they would need their own DNS name for that, which needs to be a CNAME to the correct (to verify domain ownership when setting it up, as well as to make the website work). Another option would be to create your own organization per website, but that makes your repo management cumbersome.

So far I used subdomains from for that, but they do not support DNSSEC, so I tried to use subdomains instead.

So I am not using the “dyndns” aspect of subdomains here, only the “freedns” aspect.

But I can as well grab a short third-level domain (which I have done now) and put my Github Pages subdomains below that one.

Thank you for explaining. Yes, the apex of domains directly under is intended for dynDNS usage, and your use case is currently not covered.

Your workaround is a viable solution (just like, alternatively, registering a conventional domain name with some registrar and then putting CNAME records on its subdomains).

So far I used subdomains from 1 for that, but they do not support DNSSEC, so I tried to use 1 subdomains instead.

that is not the only thing AFRAID’ORG does NOT support, I am afraid.

Hmm, is this on-topic enough for you to “desecrate” this old thread?

1 Like

well, if I can nudge 1 single user to not waste their time on but rather on or my effort was well worth it :wink: