2

I have a DNS config that looks something like this:

www.example.com                 600  IN   CNAME prod.myzone.l2.company.example
prod.myzone.l2.company.example      600  IN   CNAME ssl-endpoint-12345.hostcorp.example
ssl-endpoint-12345.hostcorp.example 60   IN   A     192.0.2.4

So the first two CNAME records in the chain have a TTL of 10 minutes, and the final A record has a TTL of 1 minute

The prod.myzone.l2.company.example CNAME does regional load-balancing between multiple endpoints, and is automatically updated if my DNS provider determines that the current endpoint is unhealthy. For this reason, I would like to propagate changes to the prod.myzone.l2.company.example CNAME as quickly as possible.

If I wanted to reduce overall TTL that clients see when prod.myzone.l2.company.example changes, is it sufficient to only reduce the TTL of the prod.myzone.l2.company.example record, or do I also need to reduce the TTL on the www.example.com record as well?

Drew Shafer
  • 155
  • 1
  • 7

1 Answers1

2

The TTL for CNAME records does not work in any way differently than other records.

Let us imagine a recursive resolver through which the above goes. It then fills its cache with:

  • www.example.com CNAME valid for 600s
  • prod.myzone.l2.company.example CNAME valid for 600s
  • ssl-endpoint-12345.hostcorp.example A valid for 60s

If someone later query ssl-endpoint-12345.hostcorp.example A directly, then the 60s TTL applies.

But if the query comes for www.example.com, then the resolver will see it doesn't have an A record, but a CNAME and then reuse all of the above.

66s (for example) after the above, www.example.com is still in the resolver cache, but ssl-endpoint-12345.hostcorp.example A won't be anymore so the resolver will have to do a new DNS query to get that data, and cache it.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
  • extrapolating from your answer: - if I set the intermediate `prod.myzone.l2.company.example` CNAME to 60s, clients will resolve `www.example.com` to the new `A` record within 60 seconds if `prod.myzone.l2.company.example` is updated? – Drew Shafer Sep 17 '21 at 02:43
  • @DrewShafer Yes. I recommend you set up a fake zone, similar to that, and just test things in your use case, to make sure it behaves as you need. You can install `unbound` or another local resolver and use it for your tests so that you can control its cache content. This would be a better result that anything that can be written here :-) – Patrick Mevzek Sep 17 '21 at 03:30
  • I can set up new zones pretty easily to test - thanks for the answer! – Drew Shafer Sep 17 '21 at 03:40