Well yes,
back in the day when hardly anybody ever needed a change in DNS, it was very easy to make he system secure, because the greybeard in charge had a need-to-know policy, i.e. he needed to know you, and his fingertips wove the magic that would let your CNAMEs come into being into text files. Of course, nowadays, we expect fingerprints of five different flavours of short-lived certificates in there, autoconfig information generated by your local AD server, spam policy, and a host of other things, signed by another set of short-lived certificates, turtles all the way down, all of which almost requires you to have an automated, more-widely-visible administrative access.
More legos, and the same number of naked feet at night.
