When 'dig' returns a single A record, the IP address changes between calls. What is this a sign of?

Solution 1:

'10' in the output is TTL. It is short, 10 seconds, so one can guess that this is dynamically changing. That's why it should not live in DNS recursive servers' cache for more than 10 seconds.

How is it done? It depends on remote DNS server and the way it is implemented. Either hidden nodes dynamically (de-)register into DNS or DNS could be "detecting" alive backend hosts itself.

Solution 2:

It could be a round robin approach.

Usually you deliver all valid addresses and the client picks one to connect to.

If you have badly implemented clients, you might need to force their pick by only offering one value.

The other option is load balancing based on how busy the different servers are. The DNS is then used as a cheap load balancer. Cheap compared to one or more real load balancers with, for example, multiple IP addresses that proxy all requests to the servers.