How does this main domain have a CNAME record?

Question

I was under the impression that only subdomains could have CNAME records: main domains need to define all their own records. However, apt-get.com seems to have only a CNAME record. How can this work?

$ dig apt-get.com 

; <<>> DiG 9.8.1-P1 <<>> apt-get.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45743
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apt-get.com.           IN  A

;; ANSWER SECTION:
apt-get.com.        86336   IN  CNAME   thie5ku9.dsgeneration.com.
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.242
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.246
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.166
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.232
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.161
thie5ku9.dsgeneration.com. 60   IN  A   208.73.210.233
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.186
thie5ku9.dsgeneration.com. 60   IN  A   208.73.211.188

;; Query time: 59 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 10 15:05:48 2014
;; MSG SIZE  rcvd: 193


$ dig apt-get.com ns

; <<>> DiG 9.8.1-P1 <<>> apt-get.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43831
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apt-get.com.           IN  NS

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 10 15:12:37 2014
;; MSG SIZE  rcvd: 29


$ dig apt-get.com ns @b.gtld-servers.net

; <<>> DiG 9.8.1-P1 <<>> apt-get.com ns @b.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38228
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;apt-get.com.           IN  NS

;; AUTHORITY SECTION:
apt-get.com.        172800  IN  NS  ns1.domainrecover.com.
apt-get.com.        172800  IN  NS  ns2.domainrecover.com.

;; ADDITIONAL SECTION:
ns1.domainrecover.com.  172800  IN  A   66.45.232.66
ns2.domainrecover.com.  172800  IN  A   65.23.159.179

;; Query time: 70 msec
;; SERVER: 192.33.14.30#53(192.33.14.30)
;; WHEN: Tue Jun 10 15:07:05 2014
;; MSG SIZE  rcvd: 111

The domain does resolve. I get the following headers:

GET / HTTP/1.1
User-Agent: Testing_Sniffer/4.15
Host: apt-get.com
Accept: */*

HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1347
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=96
P3P: policyref="http://www.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.apt-get.com; path=/; expires=Wed, 11-Jun-2014 14:10:37 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<!-- turing_cluster_prod -->
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

    <title>apt-get.com</title>
    <meta name="keywords" content="apt-get.com" />
    <meta name="description" content="apt-get.com" />
    <meta name="robots" content="index, follow" />
    <meta name="revisit-after" content="10" />


    <meta name="viewport" content="width=device-width, initial-scale=1.0" /> 



    <script type="text/javascript">
      document.cookie = "jsc=1";
    </script>

  </head>
  <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
    <frame src="http://apt-get.com?epl=5PfLSSqWrYDAt-gbwMDK_rA3b1UJCYVTJHfxTzr9FTDQV84b6vAgVhU3FTeCRQNiuRNv79Ni0V3mkEVNRhpqo2gpMjp5iOIR1w2_EISPENaqzoXohVXl2QI3ryXlRCB4FaIIaxynnWXWY6QBgBgNiIZ6agD1NBoNGg0ajXpUCXUAIJDer78AAOB_AwAAQIDbCwAAe_NWlVlTJllBMTZoWkKPAAAA8A" name="apt-get.com">
  </frameset>
  <noframes>
    <body><a href="http://apt-get.com?epl=5PfLSSqWrYDAt-gbwMDK_rA3b1UJCYVTJHfxTzr9FTDQV84b6vAgVhU3FTeCRQNiuRNv79Ni0V3mkEVNRhpqo2gpMjp5iOIR1w2_EISPENaqzoXohVXl2QI3ryXlRCB4FaIIaxynnWXWY6QBgBgNiIZ6agD1NBoNGg0ajXpUCXUAIJDer78AAOB_AwAAQIDbCwAAe_NWlVlTJllBMTZoWkKPAAAA8A">Click here to go to apt-get.com</a>.</body>
  </noframes>
</html>

Answer 1

You misunderstand the nature of RFCs. Anyone is perfectly free to violate them, but unpredictable behaviour may result. You are seeing a perfect example of that: when you ask for NS records for the domain from a .com server, you get one answer (a pair of records), but when you do it through normal recursion, you get a different result (SERVFAIL).

Resolution of the domain name works, as you'd expect (there is a CNAME in place, after all), but it would be very hard to do anything else with that domain (no mail, no www. server) in a reliable way.

You have posted a perfect example of why violating the RFCs is unwise.

Answer 2

This is actually a valid use of a CNAME. You can use a CNAME on the apex of a DNS zone, but you can't use it alongside any other record types, such as MX. This is an unacceptable trade-off for most domain owners, but it is used from time to time.