CNAME okay for primary DNS record?

No, you can't do

@ IN CNAME ...

because the CNAME record type isn't allowed to co-exist with the (required) SOA and NS records that you have to have at your zone apex (or any other resource record type, for that matter, except for DNSSEC-related records).

See s3.6.2 of RFC 1034:

If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types.