[robgolding]

This is a fantastic and well-written guide, thank you!

I recently wrote a toy caching DNS proxy in Elixir, and I have a question which I’ve never been able to figure out. Individual DNS records for the same hostname can have different TTLs configured. For example, 30s for one record and 300s for another. As a caching resolver, what is the expected behaviour when the record with the shorter TTL has expired but the other has not? I chose to invalidate the entire thing and make a new query upstream, but I’ve always wondered what the “proper” behaviour should be.

[SoylentBob]

Having multiple TTLs in the same record set is deprecated. [1]

If you would rather put them in your cache, instead of not allowing to request them through your server, you are probably best off, by taking the lower TTL and using that as your initial TTL. E.g. this is how an authoritative Knot instance would handle differing TTLs in a DNSSEC signed zone.

[1] https://tools.ietf.org/html/rfc2181#section-5.2

[zokier]

I haven't written a dns server so this might be stupid question, but why would differing TTLs be a problem? You'd need just to key your cache with (label, recordtype) tuple, right?

[DougBTX]

From the RFC link in a sibling comment[1]:

> No uses for this have been found that cannot be better accomplished in other ways. This can, however, cause partial replies (not marked "truncated") from a caching server, where the TTLs for some but not all the RRs in the RRSet have expired.

So the cache could be split up like that, but then it could produce partial results, which is worse than reducing the effective TTL.

[1] https://tools.ietf.org/html/rfc2181#section-5.2

[dnautics]

Do you have a link to your toy dns proxy?