--- Begin Message ---
On Thu, Oct 7, 2021 at 11:22 AM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
>
> On Thu, Oct 07, 2021 at 02:53:36PM +0000, Wessels, Duane via dns-operations
> wrote:
>
> > I can't explain the TXT queries, but the NS queries seem to be
> > Google's method of doing qname minimization, with an added nonce
> > value. See https://indico.dns-oarc.net/event/39/contributions/864/
> > and
> > https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes
>
> The odd thing is though that queries with Google's nonce labels to .NL
> would be expected to have the appended label after some desired 2LD:
>
> nonce.extant-2ld.nl
>
> I would not expect Google to append 2LD rather than 3LD nonces in
> queries to the .NL auth servers, those elicit NXDOMAIN, rather than the
> desired nonce-salted referrals.
Correct. These are not nonce prefixes appended by GPDNS. Also we are
mostly querying for NS records when nonce prefixes are used. Given the
RR types being queried, this is likely to be what Matt Nordhoff
mentioned above.
On a related note, the queries you mention send more than two labels
to the NL nameservers. This happens in some scenarios with our qname
minimization implementation. We are making some changes which should
reduce the labels in the query to just two (plus an optional nonce) in
almost all cases.
-Puneet
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
