How does DNS TTL work in chained CNAME configurations?

Drew Shafer

1/17/23, 2:16 AM

I have a DNS config that looks something like this:

www.example.com                 600  IN   CNAME prod.myzone.l2.company.example
prod.myzone.l2.company.example      600  IN   CNAME ssl-endpoint-12345.hostcorp.example
ssl-endpoint-12345.hostcorp.example 60   IN   A     192.0.2.4

So the first two CNAME records in the chain have a TTL of 10 minutes, and the final A record has a TTL of 1 minute

The prod.myzone.l2.company.example CNAME does regional load-balancing between multiple endpoints, and is automatically updated if my DNS provider determines that the current endpoint is unhealthy. For this reason, I would like to propagate changes to the prod.myzone.l2.company.example CNAME as quickly as possible.

If I wanted to reduce overall TTL that clients see when prod.myzone.l2.company.example changes, is it sufficient to only reduce the TTL of the prod.myzone.l2.company.example record, or do I also need to reduce the TTL on the www.example.com record as well?

0 + 0

domain-name-system

ttl

cname-record

Score:1

Server

Patrick Mevzek

1/17/23, 2:32 AM

The TTL for CNAME records does not work in any way differently than other records.

Let us imagine a recursive resolver through which the above goes. It then fills its cache with:

www.example.com CNAME valid for 600s
prod.myzone.l2.company.example CNAME valid for 600s
ssl-endpoint-12345.hostcorp.example A valid for 60s

If someone later query ssl-endpoint-12345.hostcorp.example A directly, then the 60s TTL applies.

But if the query comes for www.example.com, then the resolver will see it doesn't have an A record, but a CNAME and then reuse all of the above.

66s (for example) after the above, www.example.com is still in the resolver cache, but ssl-endpoint-12345.hostcorp.example A won't be anymore so the resolver will have to do a new DNS query to get that data, and cache it.

0 + 0

Drew Shafer

1/17/23, 2:43 AM

extrapolating from your answer: - if I set the intermediate `prod.myzone.l2.company.example` CNAME to 60s, clients will resolve `www.example.com` to the new `A` record within 60 seconds if `prod.myzone.l2.company.example` is updated?

Patrick Mevzek

1/17/23, 3:30 AM

@DrewShafer Yes. I recommend you set up a fake zone, similar to that, and just test things in your use case, to make sure it behaves as you need. You can install `unbound` or another local resolver and use it for your tests so that you can control its cache content. This would be a better result that anything that can be written here :-)

Drew Shafer

1/17/23, 3:40 AM

I can set up new zones pretty easily to test - thanks for the answer!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How does DNS TTL work in chained CNAME configurations?

TH: DNS TTL ทำงานอย่างไรในการกำหนดค่า CNAME แบบเชื่อมโยง

RO: Cum funcționează DNS TTL în configurațiile CNAME înlănțuite?

RU: Как работает DNS TTL в связанных конфигурациях CNAME?

VI: DNS TTL hoạt động như thế nào trong các cấu hình CNAME được xâu chuỗi?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.