% dig www.google.com a

; <<>> DiG 9.6.1-P1-RedHat-9.6.1-6.P1.fc11 <<>> www.google.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8426
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         532778  IN      CNAME   www.l.google.com.

etc....

If it's good enough for Google, it's good enough for anybody.

Sure, if the target of the CNAME is out of your zone then it's information you don't control. But if both the left side and the right side are in your own domain then it's no risk at all!


I would say that is isn't true, unless pointed to good information proving otherwise.

There is a potential problem if you have CNAMEs referring to zones that are not controlled by yourself, as they could change the final result unexpectedly, but that is a perfectly normal "do you trust the 3rd party?" issue rather than a DNS specific one.

If I were you I would ask your DNS administrator if he has any info you can read on the issue he is concerned about - just make sure that the request sounds like you are trying to learn something rather than trying to prove him wrong. If he does give you a good answer, please post it here so we can be educated too!