Cisco – Is 802.11k a security risk

This could first of all be necessary if for some reason, the client has access to more or different name resolution data than the proxy. You gave one simple example yourself: an entry in the client's host file that is not present on the proxy. Or the client could be talking to a different DNS server.

It could also be an efficiency thing, since with option 0 all DNS requests will be performed twice, once by the client and then again by the proxy. In option 1, the proxy will only perform a DNS lookup as a fallback if the client supplied address doesn't work.

Also note that when a domain uses round robin DNS, the client and proxy might get a different answer to their queries. This would result in a connection to a different server, not the one the client expected to be connected to. This could cause issues with protocols which somehow depend on being connected to the instance returned by DNS. Such a protocol would work with option 1, but not always with option 0.

Your are correct about 802.11r and it's issues with lack of client-support.

Assuming your deploying WPA2-Enterprise or similar (where session keys are established)...you should take a look at the following. It's great reading, especially since your inquiring about 'best practices' with very little detail on your deployment (ie target devices/applications...VoWiFi?):

802.11r/k: http://www.revolutionwifi.net/2013/05/apple-ios-fast-roaming-with-aerohive-wi.html

CCKM/PCK-OKC and description of roaming techniques: http://www.revolutionwifi.net/2012/02/wi-fi-roaming-analysis-part-2-roaming.html

Follow the links at the bottom of the 2nd URL for Cisco recommendations, but again...will depend heavily on your target device/application.