[dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)
"John R. Levine" <johnl@iecc.com> Thu, 11 June 2026 08:57 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@mail2.ietf.org
Delivered-To: dmarc@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5A80CFF3C175 for <dmarc@mail2.ietf.org>; Thu, 11 Jun 2026 01:57:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781168243; bh=UyOq+ktrvyL3wGHxalB0I90YEFPWntUTGJyA7lmMvUQ=; h=Date:From:To:Subject:In-Reply-To:References; b=jCTuW6yiqMQinMf7lbbFU7s5ARY1kIcyZdk6xQdBNCfSyjcxYYIUh4yYwPudTnNKa b2qfStHdutTBb+Jj9W8bpC0CPz732ImrT553oDOL8NxejRyie0sajUWtYY96lzFN7O gqMhwt9hMd9lr0Fd04stbghlUamkiTZHgGoLLSME=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1J_iTcfyQLk for <dmarc@mail2.ietf.org>; Thu, 11 Jun 2026 01:57:22 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4FB4EFF3C112 for <dmarc@ietf.org>; Thu, 11 Jun 2026 01:57:12 -0700 (PDT)
Received: (qmail 49645 invoked from network); 11 Jun 2026 08:57:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=c0c96a2a7861.k2606; t=1781168215; x=1781513815; bh=UyOq+ktrvyL3wGHxalB0I90YEFPWntUTGJyA7lmMvUQ=; b=KLc12BPsQJQvbfXHr0yBjn3Kl/DKqE+uTgFjoXG3Tp5kqDbL/BZW28ZkES2TZtclilQ2x0SGNLc9iyA6lXDH3Xb6fnF/VfN7KRUZoSjvdTEj+2PgGQa4pHefcN3mk15bEGKPUCmrpmyieShi+/qHURcFheVCs/pFBlP8TipbO/J5LxF6VGMJ4+FDUeYHUA/VMBZc9PDXvx2SnT/AjkiWSJfr1tFE/TjC2zmhuLCOl5NjKKCgrbbg9dSFe2dLyeY6GMMkjMwB+KOVSsVPXBmVxhDYnqse6XQ3cm8z1VxLCAvsM4dI11SOF4RwqsSdAgKYO9wby/VQEyHOEu6IjEve9w==
Received: from ary.local ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 11 Jun 2026 08:57:05 -0000
Received: by ary.local (Postfix, from userid 501) id 107C410FBC33A; Thu, 11 Jun 2026 10:57:03 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 50D1E10FBC31C; Thu, 11 Jun 2026 10:57:03 +0200 (CEST)
Date: Thu, 11 Jun 2026 10:57:03 +0200
Message-ID: <88918c6b-72ba-5768-0723-8b2314b14c17@iecc.com>
From: "John R. Levine" <johnl@iecc.com>
To: Matteo Contrini <matteo@dmarcwise.io>, dmarc@ietf.org
In-Reply-To: <1b793e75-1409-4344-bf3b-0f59bacb2591@dmarcwise.io>
References: <1b793e75-1409-4344-bf3b-0f59bacb2591@dmarcwise.io>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: CKLWBDY5DARVNVDVVIQBUF5DK32ELPQS
X-Message-ID-Hash: CKLWBDY5DARVNVDVVIQBUF5DK32ELPQS
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8YOK_QShNEck7ekMwWjEaAzWeNw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>
Please see my response to your erratum. RFC 9824 section 5 explains how resolvers recover the correct NXDOMAIN response so they don't break every application that expects NXDOMAIN to work. We debated this at great length while writing the RFC. R's, John On Tue, 9 Jun 2026, Matteo Contrini wrote: > Hi all, > > in RFC 9989, a domain is determined to be non-existent if the response code > for the DNS query is NXDOMAIN. This definition is used in the "np" tag > (non-existent subdomain policy). > > However, authoritative name servers doing DNSSEC online signing often use the > so-called "NSEC Black Lies" method, now known as RFC 9824 - Compact Denial of > Existence in DNSSEC, to authenticate non-existent domain responses. Instead > of responding with NXDOMAIN and NSEC/NSEC3 records, they respond with NODATA, > an empty answer section, and a single NSEC record signaling the pseudo-record > type NXNAME. > > A DMARC implementation following RFC 9989 would therefore never see NXDOMAIN > and treat all domains using DNSSEC and Compact Denial of Existence as > existent, even if they're not. The issue appears to be potentially > significant since the NSEC Black Lies/Compact Denial of Existence method has > been used extensively in commercial DNS providers, such as Cloudflare (since > 2016), NS1 and Bunny DNS. > > My question is whether the new "np" tag is therefore to be considered > incompatible with RFC 9824 - Compact Denial of Existence in DNSSEC, or if I > missed something. I've looked at previous discussions in this mailing list > but couldn't find anything relevant. I could only find that RFC 9091, which > RFC 9989 obsoleted, had a broader non-existent definition which also included > NODATA. > > Best regards, > > -- > Matteo > > Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
- [dmarc-ietf] Compatibility of "np" tag with RFC 9… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Todd Herr
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Todd Herr
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Alessandro Vesely
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Murray S. Kucherawy
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Alessandro Vesely
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Todd Herr
- [dmarc-ietf] Re: Compatibility of "np" tag with R… John R. Levine
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… John Levine
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini