Why does Heroku warn against "naked" domain names?

domain-name-system domain cloud cloud-computing heroku

I ran across this page in the Heroku docs...

Naked domains, also called bare or apex domains, are configured in DNS via A-records and have serious availability implications when used in highly available environments such as massive on-premise datacenters, cloud infrastructure services, and platforms like Heroku.

For maximum scalability and resiliency applications should avoid naked domains and instead rely solely on subdomain-based hostnames.

Does anyone here speak Enterprise? What are the "availability implications" they're warning about?

(I notice that http://stackoverflow.com works no problem, so evidently there are viable alternate philosophies on this issue.)


What they're talking about is that when you use a CNAME to point to their services (which is only possible on subdomain, not the zone root - it can't coexist with the SOA and NS records that are required on the root of your zone), they can make a change to their own DNS records to work around some kind of availability issue.

With a zone root, you must use an A record to point to a specific IP address for the service. If they have an issue with routing, or some kind of denial of service against that specific address, they're not able to update your zone's A record to point to a different IP on the fly; they can update their own, though, and that's what a CNAME allows them to do.

This doesn't apply to Stack Exchange because they aren't using a third party's platform; they'll be the ones responding to an availability issue, so whether it's a CNAME or an A makes no difference to them.


As an addition to @ShaneMadden's answer, one workaround is for the third-party platform to also manage your DNS zone. For example, if you use AWS's Elastic Load Balancer service, and their Route 53 DNS service, you can reliably point the zone apex at an ELB instance using their custom alias records, which allows them to update your DNS zone in response to availability issues.

This is however an argument against the no-www concept, since www.example.com can have a CNAME record.

Related

How do you setup ssh to authenticate using keys instead of a username / password?
Smoothest workflow to handle SSH host verification errors?
OpenVPN not default gateway for all traffic
Why drop caches in Linux?
Load balancing & NAT-ing multiple ISP connections on Linux
LAMP Server Performance Tips [closed]
escaping double quotes and percent signs (%) in cron
Allowing SSH on a server with an active OpenVPN client
Forcing the from address when postfix relays over smtp
Why Does hotmail still reject my emails?
Tc: ingress policing and ifb mirroring
Apache 2.4 + PHP-FPM + ProxyPassMatch