1. What is an Apex Record?
The meaning is contextual. If you login to the portal and click on Domains, you'll see a list of zones. If the zone you see is domain.com, its apex is domain.com because that’s the folder name. If you have a resource record in that folder called www.domain.com, that’s not the apex. That’s a subdomain. www.www.domain.com could also go in the vercara.com folder and it’s also not the apex.
Now if you go back to Domains and see abc.domain.com in the list of domains, then the apex of abc.domain.com folder is abc.domain.com and www.abc.domain.com could go in that folder.
2. Why Would I Use an Apex Alias?
If you wish to point your apex to a hostname instead of an IP address, you'll need to use Apex Alias. The most common use case occurs when you have a cloud-based provider for your host. Commonly users have CNAME'd subdomains to hostnames. But the apex has always required an "A" record. That can be problematic if the IP address in the "A" record changes frequently, as is common with cloud-based hosting.
3. Why Can't I use a CNAME on an Apex Record?
See Why can't I CNAME an apex record?
4. What does Apex Alias cost?
Apex Alias is a part of Managed DNS service. There's no upgrade required. Any additional costs would due to using more resource records or queries than your contract currently allows for.
5. How do I configure Apex Alias?
Under Apex Alias, click Add+ and then enter the host you wish to point to under Points To and the desired TTL under TTL (common values are 300, 900, 3600, 10800, 14400, 43200 and 86400). Then click Save.
Please note the apex alias will pass the TTL of the record we find, so even if the TTL is 86400 for the Apex, it is only a placeholder in the database. If the final record has a 10 second TTL then that is what is passed along
6. How do I test if my Apex Alias record is working?
Wait 2-5 minutes after adding the record. Go to www.digwebinterface.com, enter the hostname under Hostnames or IP addresses:, click the radio button next to Resolver and click Dig. There should be an answer, usually one more more "A" record, possibly preceded by CNAME's. You will not see the apex alias record in the results. But you should see what the host in the Points To section would normally resolve to.
7. When you have an existing A record for the root domain (domain.com) and you go to create an APEX, a message will pop up:
You have both an “Address Record” (A and/or AAAA) configured for this domain and an APEX Alias configured. When resolving authoritative lookups, the Address Record(s) will take precedence over the APEX Alias defined and the APEX Alias will not be used. To use the Apex Alias, add the APEX ALIAS first and it will be ignored until the A Record is added. Then once the TTL expires it will be start answering w/ the APEX.
After you create the APEX, you can then delete the A record. We recommend reducing the TTL of the A record to 30 so the time expires quicker than leaving the current TTL value as is which would take long to propagate.
8. Some DNS servers give different answers to different users based on their source IP's? Which source IP will the you provide an answer on behalf of, my source IP or a Vercara source IP?
Answers will be based on your client IP if your recursive DNS server supplies your client IP to us via EDNS0. Google Public DNS for example would supply this information to us, and we would answer based on your client IP (and not, say, Google's unicast recursive DNS's server's source IP). If you are using a recursive DNS server that doesn't provide your client IP to us, we do not see your client and cannot answer based on that. Instead we would answer based on the recursive DNS server's unicast source IP. This is only relevant when querying for hosts that give different answers based on source IP's.
9. Can I add an Apex Alias record inside a pool-based record type such as SiteBacker, Traffic Controller, Simple Failover, Directional or Resource Distribution?
Not at this time. We are reviewing whether to support this in the future.
10. Will my Apex Alias record work with a secondary DNS provider?
No. Apex Alias records are proprietary & were designed to work specifically on the Vercara UltraDNS platform. Since zone transfers to secondary providers are done in BIND format, the information contained in an Apex Alias record won't be transferred correctly to a secondary DNS provider, even if the secondary provider supports a similar function. So, you will need to have primary-primary configurations for domains with CNAME flattening at the apex of domains. Apex Alias records will not be included in an outgoing AXFR from UltraDNS for two reasons:
1) Zone transfer is BIND and Apex Alias is a custom record exclusive to our platform. Similar behavior can be seen for Directional and failover services.
2) Most DNS providers offer some form of CNAME flattening at the apex, however, none support zone transfer with them. This is due to the records relying upon services external to authoritative DNS, and every provider handles them a little differently. At UltraDNS, we have network rules in place which cause incoming queries for Apex Alias hostnames to trigger recursive queries for their target. Then, our authoritative name servers take the recursive answer and create an A record for the apex.
11. Can I use @ or leave the Host field blank?
No. The record is explicit so it needs the actual host name/zone.
12. Is the TTL dependent on the A records at the destination? If the TTL of the Alias is 86400, does that mean it will keep publishing the same A records for 1 day even after the the CDN's A record TTLs have expired?
The TTL for apex is just a place holder. The record that is queried on the backend is the TTL that is passed to the client so that TTL supersedes the TTL for the apex.
13. Can you apply DNSSEC on an Apex record?
Our on-the-fly signer can sign apex alias records. This is our default signer. We have a legacy signer which cannot. If you are signing a zone for the first time, it will use the on-the-fly signer. If you are using a zone that is already signed, you can check the signer by browsing to the zone in our Managed DNS portal and then clicking the DNSSEC tab. Beside "Type" it will say "NSEC_ON_THE_FLY" if you are using our on-the-fly signer which supports Apex Alias.