I was told by our DNS administrator that the use of CNAME records was not "best Practice" and was a security vulnerability. is this true? I have always used CNAME records to reduce the management overhead of DNS records.
I was told by our DNS administrator that the use of CNAME records was not "best Practice" and was a security vulnerability. is this true? I have always used CNAME records to reduce the management overhead of DNS records.
etc....
If it's good enough for Google, it's good enough for anybody.
Sure, if the target of the CNAME is out of your zone then it's information you don't control. But if both the left side and the right side are in your own domain then it's no risk at all!
I would say that is isn't true, unless pointed to good information proving otherwise.
There is a potential problem if you have CNAMEs referring to zones that are not controlled by yourself, as they could change the final result unexpectedly, but that is a perfectly normal "do you trust the 3rd party?" issue rather than a DNS specific one.
If I were you I would ask your DNS administrator if he has any info you can read on the issue he is concerned about - just make sure that the request sounds like you are trying to learn something rather than trying to prove him wrong. If he does give you a good answer, please post it here so we can be educated too!
This is FUD. As already mentioned, the only way a CNAME is less secure than an A record is if it points to a third party domain you don't control. If it refers to another record in the same domain, then it's completely fine.
He may be confused, because certain types of records (like MX entries!) are not allowed to point to CNAMEs, they must point to A records as per the RFCs. This isn't a security issue per-se though, more of a "you may not receive e-mail being sent by RFC strict MTAs" issue.
Google uses tables to markup their pages. That's not because it is good for anybody, that's because they want to support every other browser out there.
CNAMEs are mostly used wrong way. But that's not a security issue, of course. CNAME to some other domain is not a security issue either. It's like to say that 302 redirect for OpenID authentication is a security issue. If you put something into DNS record value, then you are responsible for what you did. Maybe you really meant to put another domain there. No security problems.
It's a semantic (religion if you want) issue. CNAME record is meant to be a "canonical name" for a set of other names. See https://www.rfc-editor.org/rfc/rfc1034 page 14. I.e. you have www.dom.tld, www1.dom.tld, etc. All of these names have A records, aliases to IPv4 addresses. Now you add a www CNAME www1 record and it means that of two aliases, the www one is canonical, primary. This mechanism could be used to tell, i.e. search engine crawlers which of your names are aliases to another and which is primary. But, instead they use 301 redirects from www.dom.tld to just dom.tld or vice versa depending on their customs.
I'm not telling one must not use CNAMEs as aliases. It works, why not. It worked this way for many years, maybe it is the new truth, like systems must evolve with time, etc.
For address records which are not referred to by records which prohibit this, such as NS or MX records, they are fine. However, I would be careful if they cross a zone (even one you control) as it will then require additional DNS queries to resolve the target of the name.