If the result of a DNS query is a CNAME and its aliases down to an A or AAAA record, the TTL of the result is taken as that of the A or AAAA record the query finally resolves to. There doesn't seem to be anything specific in the DNS RFC that talks about this, but the obvious approach ought to be to have the minimum of the TTL values in the entire chain of resolutions (CNAME -> CNAME -> ... -> A|AAAA) as the TTL for the DNS entry. This behaviour affects how long nscd caches a DNS entry before it looks to reload it. In a case such as the one below, nscd may end up waiting for 20 minutes before it reloads its cache, when ideally it should have waited for just 15 seconds for bad.foo.net and 60 seconds for cad.foo.net. Steps To Reproduce: 1) Set up a bind server with the following zone file: $TTL 1200 $ORIGIN foo.net. @ 1D IN SOA ns1.foo.net. hostmaster.foo.net. ( 2002022401 ; serial 3H ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS ns1.foo.net. ; in the domain ; server host definitions ns1 IN A 192.168.0.1 ;name server definition ; non server domain hosts ad IN A 1.0.0.1 ;ad IN AAAA ::8 cad 60 IN CNAME ad bad 15 IN CNAME cad 2) Start nscd 3) getent hosts bad.foo.net 4) Modify the A record entry to 1.0.0.2 5) Wait for up to 30 seconds (15 seconds of the TTL and the 15 second minimum wait in nscd for extra buffer time) 5) getenthosts bad.foo.net Actual Results: 1.0.0.1 ad.foo.net bad.foo.net cad.foo.net Expected Result: 1.0.0.2 ad.foo.net bad.foo.net cad.foo.net
In the reproducer steps: 1.1) Point /etc/resolv.conf to the dns server
Fixed in master.
DNS resource record TTLs are no longer considered a security feature, so from a security perspective, it does not matter which TTL is used.