If the result of a DNS query is a CNAME and its aliases down to an A or AAAA record, the TTL of the result is taken as that of the A or AAAA record the query finally resolves to.

There doesn't seem to be anything specific in the DNS RFC that talks about this, but the obvious approach ought to be to have the minimum of the TTL values in the entire chain of resolutions (CNAME -> CNAME -> ... -> A|AAAA) as the TTL for the DNS entry.

This behaviour affects how long nscd caches a DNS entry before it looks to reload it. In a case such as the one below, nscd may end up waiting for 20 minutes before it reloads its cache, when ideally it should have waited for just 15 seconds for bad.foo.net and 60 seconds for cad.foo.net.

Steps To Reproduce:

1) Set up a bind server with the following zone file:

$TTL     1200
$ORIGIN foo.net.
@  1D  IN        SOA ns1.foo.net.       hostmaster.foo.net. (
                              2002022401 ; serial
                              3H ; refresh
                              15 ; retry
                              1w ; expire
                              3h ; minimum
                             )
       IN  NS     ns1.foo.net. ; in the domain
; server host definitions
ns1    IN  A      192.168.0.1  ;name server definition     

; non server domain hosts
ad   IN  A      1.0.0.1
;ad   IN  AAAA      ::8
cad 60  IN  CNAME  ad
bad 15  IN  CNAME  cad

2) Start nscd
3) getent hosts bad.foo.net
4) Modify the A record entry to 1.0.0.2
5) Wait for up to 30 seconds (15 seconds of the TTL and the 15 second minimum wait in nscd for extra buffer time)
5) getenthosts bad.foo.net

Actual Results:

1.0.0.1        ad.foo.net bad.foo.net cad.foo.net

Expected Result:

1.0.0.2        ad.foo.net bad.foo.net cad.foo.net