[dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)

Matteo Contrini <matteo@dmarcwise.io> Thu, 11 June 2026 10:33 UTC

Return-Path: <matteo@dmarcwise.io>
X-Original-To: dmarc@mail2.ietf.org
Delivered-To: dmarc@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0ACD0FF45287 for <dmarc@mail2.ietf.org>; Thu, 11 Jun 2026 03:33:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781174026; bh=snj1BO3UMvM2WCEtIwt/pIEGH4yzt4OdHuVeMoUQk0I=; h=Date:Subject:To:References:From:In-Reply-To; b=uN2PHelwqJFtPqFc9UjVvXajxbFgq+7qJ5JcJRURIlEtJCYDWhaPgYao4Us0VoLRx 98kcU0SIQIbf5A88AlcAr1oIdnLMyEzvlYkm4lmg8MBIM5RwUBu9bOOXrjGEQvhnCb IyxvgQEXEwLOccV7vcADs9vgSdVkdgMsxgnI9FSo=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dmarcwise.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqmVgREkTg1g for <dmarc@mail2.ietf.org>; Thu, 11 Jun 2026 03:33:45 -0700 (PDT)
Received: from smtp02.cbsolt.net (smtp02.cbsolt.net [185.97.217.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7284DFF45282 for <dmarc@ietf.org>; Thu, 11 Jun 2026 03:33:45 -0700 (PDT)
Received: from [192.168.1.173] (u-6k-84-247-221.4bone.mynet.it [84.247.221.203]) by smtp02.cbsolt.net (Postfix) with ESMTPSA id 4gbfBV0wjBz3xC1 for <dmarc@ietf.org>; Thu, 11 Jun 2026 12:33:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcwise.io; s=qbm2506238790; t=1781174018; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JlrP5J7X/2iRNYzOrwh2heRHhcPWuOn3yFCG7n3YvME=; b=zKubyuAO1s95JZjbR45uuM9la0goGZm9G6qD0SECWqh77FB/0egykCTF7r3p5cUj3Yxkut n5mOzcggnAKYprvT0VXgwZtAyp0+xKDwk76PnkFegiJiqLftt4SyzjY4saOi5RuYekrHU0 Tyx9e8IcBiRkEiCL3IMpkDAHNGave7s=
Message-ID: <affb07ff-f373-4639-bb62-ca86bf1bc7af@dmarcwise.io>
Date: Thu, 11 Jun 2026 12:33:37 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: it
To: dmarc@ietf.org
References: <1b793e75-1409-4344-bf3b-0f59bacb2591@dmarcwise.io> <88918c6b-72ba-5768-0723-8b2314b14c17@iecc.com>
From: Matteo Contrini <matteo@dmarcwise.io>
In-Reply-To: <88918c6b-72ba-5768-0723-8b2314b14c17@iecc.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: FDTYOJK6LJVK4GJ4H72M2G25MJHHEIOP
X-Message-ID-Hash: FDTYOJK6LJVK4GJ4H72M2G25MJHHEIOP
X-MailFrom: matteo@dmarcwise.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WRlPCCiQF7PO4J2I71g7VeIGghQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>

On 11/06/2026 10:57, John R. Levine wrote:
> Please see my response to your erratum.
>
> RFC 9824 section 5 explains how resolvers recover the correct NXDOMAIN 
> response so they don't break every application that expects NXDOMAIN 
> to work.  We debated this at great length while writing the RFC.
>
> R's,
> John 

Thanks for the answer, John. For the record, I'm not the author of that 
erratum.

I've read Section 5 of RC 9824 multiple times, let me try to rephrase 
what it says and provide my observations:

- For DNS queries that don't have the DO bit set ("DNSSEC answer OK"), 
it says that authoritative nameservers could simply return NXDOMAIN. It 
also says that this is unlikely to be useful since queries usually go to 
a recursive resolvers, and modern resolvers are all DNSSEC aware, so 
this doesn't apply. Fine.

- A recursive resolver that understands the NXNAME signal and receives a 
query from a client without the DO bit set can decide to replace the 
NOERROR response code with NXDOMAIN. This mechanism is however optional, 
and I see no indication that it's being applied in the real world so far.

I've checked 8.8.8.8 and 1.1.1.1, I've looked at the source code of 
BIND9, Unbound and PowerDNS and unless I missed something they don't 
appear to be doing this. In my experience, DNS libraries usually don't 
set the DO bit by default (nor does "dig"), so most implementations will 
likely fall in this category of queries and in the current state won't 
see NXDOMAIN.

- A resolver that receives a query with the DO bit set won't do any 
replacement and respond with NOERROR + NXNAME, if that's the case. The 
client will therefore need to read the NXNAME bit to infer 
non-existence. Is this correct or I'm reading it wrong? If so, RFC 9989 
makes no mention of this and assumes you can just check for NXDOMAIN.

- According to Section 5.1 of RFC 9824 a resolver can also request an 
authoritative server to respond with NXDOMAIN even when compact NSEC is 
used, with the CO flag. At the moment, Cloudflare and NS1 authoritative 
servers don't appear to support this, while Bunny DNS does. For this to 
be useful, however, the CO flag needs to be set by both the resolver and 
the query client (otherwise the NXDOMAIN would be reverted to NOERROR). 
DNS libraries don't set this bit by default (nor does "dig"), so an 
implementation needs to be aware that they should set also the CO flag 
when they use the DO flag.

Did I get this right? If so, I still think that RFC 9989 is at least 
missing some guidance for developers:

- If an implementation doesn't set the DO bit, it currently receives a 
NODATA response with most (or all?) resolvers. Replacement of NOERROR 
with NXDOMAIN by resolvers is optional and isn't happening at the moment.

- If an implementation sets the DO bit, they need to be aware of RFC 
9824 and read the NSEC NXNAME bit because no replacement is done by 
default. RFC 9989 makes no mention of this possibility and assumes you 
can always read NXDOMAIN.

- If an implementation sets both the DO flag and the CO flag, most of 
the time it falls back to the previous point, currently. Hopefully this 
will improve, but support for the flag is optional.

Happy to be shown wrong!

--
Matteo