Configured TTL for A record(s) backing CNAME records

Question

I'm using libresolv to fetch a list of authoritative nameservers for a domain and then query one of those nameservers directly to resolve a host.

That way, I can get the configured TTL for the A record and then I choose to refresh my DNS records in my code at that TTL.

However, I've run into a snafu in that i'm not sure how to handle hosts that refer to CNAMES. For example, output from www.microsoft.com looks like this:

; <<>> DiG 9.7.3 <<>> www.microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3870
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 7

;; QUESTION SECTION:
;www.microsoft.com.             IN      A

;; ANSWER SECTION:
www.microsoft.com.      5       IN      CNAME   toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 5     IN      CNAME   www.microsoft.com-c.edgekey.net.
www.microsoft.com-c.edgekey.net. 5 IN   CNAME   www.microsoft.com-c.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c.edgekey.net.globalredir.akadns.net. 5 IN CNAME e10088.dspb.akamaiedge.net.
e10088.dspb.akamaiedge.net. 5   IN      A       23.194.222.159

Should I be refreshing my host using the CNAME TTL? If so, how do I get that configured TTL for the CNAME?

Or, should I be refreshing my using using the A record which is linked to the CNAMEs (i.e. e10088.dspb.akamaiedge.net)? If so, how do I fetch the configured TTL for that host?

Any information you experts can provide would be greatly appreciated.

Answer 1

In the case of CNAME's for load balanced servers, you'd want to refresh at the closest record to you, which is the initial lookup. Consider the rest of the lookups as backend processing, which in this case, I like to call the Akamai shuffle.

EDIT: If you query the authoritative NS directly, you should get the "real" TTL:

rickbuford@ent01:~$ dig +noall +answer @ns2.google.com www.google.com
www.google.com.         300     IN      A       74.125.194.103
www.google.com.         300     IN      A       74.125.194.147
www.google.com.         300     IN      A       74.125.194.99
www.google.com.         300     IN      A       74.125.194.105
www.google.com.         300     IN      A       74.125.194.106
www.google.com.         300     IN      A       74.125.194.104

The TTL countdown is a function of a caching LDNS or intermediary server. So, in your example:

First, do your primary lookup:

rickbuford@ent01:~$ dig www.microsoft.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> www.microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54032
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.microsoft.com.             IN      A

;; ANSWER SECTION:
www.microsoft.com.      60      IN      CNAME   toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 123   IN      CNAME   www.microsoft.com-c.edgekey.net.
www.microsoft.com-c.edgekey.net. 10967 IN CNAME www.microsoft.com-c.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c.edgekey.net.globalredir.akadns.net. 576 IN CNAME e10088.dspb.akamaiedge.net.
e10088.dspb.akamaiedge.net. 17  IN      A       172.233.22.36

;; Query time: 19 msec
;; SERVER: 192.168.186.1#53(192.168.186.1)
;; WHEN: Thu Jun 11 21:24:28 CDT 2015
;; MSG SIZE  rcvd: 237

Then you need to get the NS/SOA of the last CNAME:

rickbuford@ent01:~$ dig e10088.dspb.akamaiedge.net NS

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> e10088.dspb.akamaiedge.net NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;e10088.dspb.akamaiedge.net.    IN      NS

;; AUTHORITY SECTION:
dspb.akamaiedge.net.    965     IN      SOA     n0dspb.akamaiedge.net. hostmaster.akamai.com. 1434075886 1000 1000 1000 1800

;; Query time: 15 msec
;; SERVER: 192.168.186.1#53(192.168.186.1)
;; WHEN: Thu Jun 11 21:25:01 CDT 2015
;; MSG SIZE  rcvd: 119

You should then be able to query the authoritative server for the record:

rickbuford@ent01:~$ dig +noall +answer @n0dspb.akamaiedge.net e10088.dspb.akamaiedge.net
e10088.dspb.akamaiedge.net. 20  IN      A       23.207.250.131