TL;DR: TTL sets how long DNS resolvers cache records before refreshing them, shaping both propagation speed and query volume. DigiCert notes that common values range from 30 to 86,400 seconds depending on record volatility and mission-critical change needs. The governance lesson is simple: DNS change timing is a control decision, not a convenience setting.
At a glance
What this is: TTL is the DNS cache lifetime that determines how quickly record changes propagate and how long stale answers can persist.
Why it matters: For IAM and security teams, TTL is a governance lever because it affects service continuity, failover speed, and the visibility window for DNS-dependent changes across identity, workload, and access paths.
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
👉 Read DigiCert's guide to DNS TTL values and propagation timing
Context
DNS TTL, or time to live, is the cache lifetime assigned to a DNS record in seconds. It tells resolvers how long to keep a response before asking again, which makes TTL a core control for propagation speed, cache freshness, and change timing.
For identity and security teams, TTL matters because DNS sits underneath many authentication, workload, and service-discovery paths. A long TTL can preserve stale data after a change, while a short TTL can increase query load and operational churn; the right setting depends on how often the record changes and how quickly the environment must adapt.
Key questions
Q: How should teams choose DNS TTL values for records that change often?
A: Choose TTL based on how quickly a record must reflect change and how much stale data the service can tolerate. Use shorter values for failover, dynamic routing, or frequently updated endpoints, and longer values for stable records such as MX or TXT. The right setting balances freshness, query volume, and operational cost.
Q: Why do long DNS TTL values create operational risk?
A: Long TTL values extend the period during which resolvers can serve outdated answers after a record changes. That can delay failover, prolong misrouting, and make corrections appear inconsistent across users. The risk is not that DNS is broken, but that cache lifetime outlasts the organisation’s change window.
Q: What breaks when TTL is set too low across an entire domain?
A: Very low TTL values drive more frequent DNS lookups, which increases query volume and can raise cost or stress authoritative infrastructure. They also create unnecessary churn for records that rarely change. A domain-wide low-TTL policy usually reflects convenience, not operational design.
Q: When should security and infrastructure teams lower TTL before a change?
A: Lower TTL before planned migrations, failovers, or record corrections when the existing cache could otherwise keep users on the wrong destination. Then allow the old TTL to expire before completing the switch. That sequence reduces the chance of mixed answers during cutover.
Technical breakdown
How DNS caching uses TTL to control refresh timing
TTL is a resolver-side cache instruction, not a property of the record itself. When a DNS answer is returned, recursive resolvers store it for the number of seconds specified and reuse it until expiry. After that window closes, the resolver asks authoritative DNS again and refreshes its cache. This reduces lookup traffic and improves latency, but it also creates a staleness window. In practice, the TTL value becomes a trade-off between efficiency and the acceptable delay before a change is visible across clients.
Practical implication: set TTL based on how quickly you need changes to be seen, not on a default inherited from old records.
Why low TTL values support failover and frequent change
Records that change often, such as failover endpoints or mission-critical service addresses, benefit from shorter TTLs because clients are less likely to hold onto obsolete answers. The article notes that values between 30 and 300 seconds are common for fast-changing records, while 3,600 to 86,400 seconds is more typical for stable MX and TXT records. The lower bound also matters because some resolvers ignore values shorter than 30 seconds, so TTL tuning must reflect real resolver behaviour rather than theoretical settings.
Practical implication: lower TTL before planned changes or failover events so old answers age out before the switch.
How TTL affects query volume and operational cost
TTL is also a traffic-shaping control. Shorter caching windows force resolvers to re-query authoritative DNS more often, which increases query volume and can raise operating costs. Longer windows reduce repeated lookups, but they make stale data persist longer if a record changes. That means TTL policy should be tied to record criticality, not applied uniformly across the domain. Stable records can absorb long cache lifetimes, while dynamic records need faster refresh cycles and tighter operational monitoring.
Practical implication: classify records by change frequency and business impact before standardising TTL settings across zones.
NHI Mgmt Group analysis
TTL is a governance control, not just a performance setting. The article treats TTL as a technical caching parameter, but in identity-adjacent environments it functions as a policy decision about how long the organisation is willing to tolerate stale truth. That matters anywhere DNS changes affect authentication, routing, or service discovery. The practical conclusion is that TTL belongs in change control, not in a default template that nobody revisits.
Long cache lifetimes create a visibility gap that teams often underestimate. A record can be changed instantly at the source while users, resolvers, and downstream systems continue to act on the old value for hours. That delay is not failure of DNS, it is the designed behaviour of TTL. Practitioners need to treat propagation lag as an expected control window whenever they plan cutovers, failovers, or record corrections.
Short TTLs reduce stale-state risk but expand operational load. Lowering TTL narrows the time during which old answers survive, which is useful when records move quickly. But the same choice increases the frequency of lookups and can expose fragility in DNS operations if capacity or monitoring is weak. The implication is that TTL strategy should be matched to record volatility and service criticality, not copy-pasted across environments.
DNS change management needs record-level policy, not zone-level convenience. MX, TXT, A, and failover records do not have the same tolerance for delay. Treating them as if they do creates unnecessary risk for dynamic services and unnecessary cost for static ones. The field-level lesson is to separate low-change records from high-change records and govern them differently rather than using one TTL posture everywhere.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- Secrets management, lifecycle governance, and workload identity are covered in NHI Lifecycle Management Guide, which helps teams align refresh windows with real operational change.
What this signals
Cache lifetime and credential lifetime are now the same governance conversation. In environments where DNS records, secrets, and workload endpoints change independently, TTL policy becomes part of identity operations rather than a purely network concern. Teams that already struggle with leaked-secret remediation, including the 27-day average in our research, should treat stale-state windows as a control problem, not a tuning detail.
The practical signal is that infrastructure teams need record-level policy and identity teams need to understand where DNS underpins access paths. That combination is where stale data causes the most harm, especially when a record supports authentication, routing, or service discovery and a change takes longer to converge than the business expects.
For teams maturing lifecycle governance, the next step is to connect TTL decisions to change management and offboarding workflows. The same discipline that governs when a secret should expire should also govern when a DNS answer should stop being trusted, which is why the NHI Lifecycle Management Guide is relevant to operational planning.
For practitioners
- Inventory records by change frequency Separate static records from mission-critical or frequently updated records, then assign TTL policy based on how often each one realistically changes.
- Lower TTL before planned cutovers Reduce the TTL on records that will change, wait for the existing cache to expire, and only then make the configuration change.
- Set a floor for resolver compatibility Avoid TTL values below 30 seconds because many resolvers will not honour shorter durations consistently.
- Watch for query spikes after shortening TTL Monitor authoritative DNS traffic and cost after changing TTL downward so the operational impact is visible before it becomes a service problem.
Key takeaways
- TTL determines how long DNS answers remain trusted, so it directly shapes propagation speed and stale-data exposure.
- Short TTLs improve responsiveness but increase query load, which means record criticality should drive policy.
- Teams should treat TTL as part of change control and lifecycle governance, not as a static default hidden in DNS settings.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | TTL policy affects how quickly changed data becomes trusted again. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | DNS answers often support access paths and service routing in zero trust designs. |
| OWASP Non-Human Identity Top 10 | NHI-03 | TTL impacts how quickly machine identity related records and secrets-dependent endpoints refresh. |
Align DNS refresh timing with NHI-03 lifecycle expectations for dynamic endpoints and credentials.
Key terms
- Time To Live (TTL): TTL is the number of seconds a DNS resolver may cache a record before it must refresh the answer. It controls how quickly changes propagate and how long stale data can remain in use. For operational teams, TTL is a trade-off between responsiveness, traffic, and consistency.
- DNS Cache Refresh: DNS cache refresh is the process of asking authoritative DNS for a new answer after the cached one expires. It is what makes TTL effective in practice. The refresh cycle determines whether clients see current or outdated information during a change window.
- Propagation Delay: Propagation delay is the time it takes for a DNS change to become visible across resolvers and users. It is influenced by TTL, resolver behaviour, and any intermediate caching. In operations planning, it is the gap between making a change and everyone seeing it.
- Resolver Cache: A resolver cache is temporary storage where DNS responses are kept so repeated lookups can be answered quickly. The cache improves performance but can also preserve outdated records until TTL expires. Managing that cache lifetime is a core DNS control.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: What is TTL? Read the original.
Published by the NHIMG editorial team on 2026-06-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
