Why does TTL sometimes re-increment between DNS queries?

Question

I dig xkcd.com, and I get something like this back:

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> xkcd.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52538
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xkcd.com.          IN  A

;; ANSWER SECTION:
xkcd.com.       769 IN  A   107.6.106.82

;; AUTHORITY SECTION:
xkcd.com.       87784   IN  NS  dns3.p03.nsone.net.
xkcd.com.       87784   IN  NS  dns1.p03.nsone.net.
xkcd.com.       87784   IN  NS  dns2.p03.nsone.net.
xkcd.com.       87784   IN  NS  dns4.p03.nsone.net.

;; ADDITIONAL SECTION:
dns1.p03.nsone.net. 70809   IN  A   198.51.44.3
dns2.p03.nsone.net. 70809   IN  A   198.51.45.3
dns3.p03.nsone.net. 71406   IN  A   198.51.44.67
dns4.p03.nsone.net. 70809   IN  A   198.51.45.67

;; Query time: 222 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Jan 21 22:16:42 HKT 2015
;; MSG SIZE  rcvd: 206

The 769 is the cached TTL value for xkcd.com. However, when I do repeat dig xkcd.com several times (within a few seconds of each other), I get a seemingly random TTL value everytime. Here's the sequence:

TRY | ANSWER | AUTHORITY | ADDITIONAL | WHEN
====================================================================
1   | 586    | 59577     | 44474      | Wed Jan 21 22:18:31 HKT 2015
2   | 587    | 14242     | 56745      | Wed Jan 21 22:18:32 HKT 2015
3   | 658    | 87673     | 70698      | Wed Jan 21 22:18:34 HKT 2015
4   | 1022   | 76200     | 51189      | Wed Jan 21 22:18:40 HKT 2015
5   | 1200   | 160954    | 44662      | Wed Jan 21 22:18:41 HKT 2015
6   | 574    | 59565     | 44462      | Wed Jan 21 22:18:43 HKT 2015
7   | 646    | 87661     | 70686      | Wed Jan 21 22:18:46 HKT 2015
8   | 1200   | 121364    | 55967      | Wed Jan 21 22:18:47 HKT 2015
9   | 1200   | 83292     | 54698      | Wed Jan 21 22:18:48 HKT 2015
10  | 1024   | 40540     | 43816      | Wed Jan 21 22:18:49 HKT 2015

Why do I get this seemingly random (within a range) values for TTL? I expect it to decrease gradually, since it is cached.

Answer 1

Dig reports the time left until the TTL expires rather than the actual TTL value. If the number varies, it is most likely that you're querying different DNS servers (for example, round robin) which have the record cached for different amounts of time, and therefore have different expiry times.

If you run the same query against the same DNS server, you will see the TTL decrease by (roughly) the same number of seconds you waited between queries. See below:

ragnarok:~ cwatson$ dig a cwatson.org @192.168.50.11; sleep 2s; dig a cwatson.org @192.168.50.11

; <<>> DiG 9.8.3-P1 <<>> a cwatson.org @192.168.50.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39178
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cwatson.org.           IN  A

;; ANSWER SECTION:
cwatson.org.        5847    IN  A   46.249.223.150

;; Query time: 43 msec
;; SERVER: 192.168.50.11#53(192.168.50.11)
;; WHEN: Wed Jan 21 14:51:08 2015
;; MSG SIZE  rcvd: 45


; <<>> DiG 9.8.3-P1 <<>> a cwatson.org @192.168.50.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24943
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cwatson.org.           IN  A

;; ANSWER SECTION:
cwatson.org.        5845    IN  A   46.249.223.150

;; Query time: 45 msec
;; SERVER: 192.168.50.11#53(192.168.50.11)
;; WHEN: Wed Jan 21 14:51:10 2015
;; MSG SIZE  rcvd: 45

So, for your full example, you have 769 seconds until the A record expires, which will force a re-lookup from your upstream DNS server.

See the answer here for more detail.