[dmarc-ietf] [Technical Errata Reported] RFC9989 (8995)

rfc-editor@rfc-editor.org Wed, 10 June 2026 18:16 UTC

Return-Path: <rfc-editor@rfc-editor.org>
X-Original-To: dmarc@ietf.org
Delivered-To: dmarc@mail2.ietf.org
Received: from errata-celery-5f5fdb66c7-r56gf (unknown [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id 1832AFEDDD8D; Wed, 10 Jun 2026 11:16:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781115409; bh=NICr/v092MQ2ZF+IvslBYFT/ypILUcOcNDycWvoTYyw=; h=Subject:From:To:Cc:Date; b=GoTphzHS9kiZusNn+TLAopx7CR7bYnLRD/w0b8yPF2c5vIn0GBthOxu4yweCAwQ2g kD/45oHlEx/hZaY70BwEAyREofH6d7dBZ4d4/bjNcRpPQm2EpX+LWhaFahYpL9PcbD eDmI866+l9mw0VnF5lkRlPyeBmo1b+evzh0W8uGs=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: rfc-editor@rfc-editor.org
To: andy@hxr.us, ietf@johnlevine.com, superuser@gmail.com, tjw.ietf@gmail.com, todd@someguyinva.com, eckelcu@cisco.com
Date: Wed, 10 Jun 2026 18:16:49 -0000
message-id: <178111540878.11.8024834297384837061@rfc-editor.org>
Message-ID-Hash: 7CDYN22P7AW5RC2PY3LNL2QDVUWJKUQY
X-Message-ID-Hash: 7CDYN22P7AW5RC2PY3LNL2QDVUWJKUQY
X-MailFrom: rfc-editor@rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: rfc-editor@rfc-editor.org, mihalop4@gmail.com, dmarc@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] [Technical Errata Reported] RFC9989 (8995)
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_KBVZ0b7iDpWjj0XV819eiIasmQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>

The following errata report has been submitted for RFC9989,
"Domain-Based Message Authentication, Reporting, and Conformance (DMARC)"

--------------------------------------
You may review the report below and at:
https://errata.rfc-editor.org/eid8995/

--------------------------------------
Type: Technical
Reported by: Johnathon Mihalop <mihalop4@gmail.com>

Section Appendix A.4. says:

Original Text
-------------
If the response code received for a query for a domain name is NXDOMAIN, then the name and all the names under it do not exist.

Corrected Text
--------------
If the response received for a query for a domain name proves that the queried name does not exist, then the name and all names under it are considered non-existent for the purposes of this specification. This proof can be conveyed by an NXDOMAIN response, or by a DNSSEC-validated denial-of-existence response that otherwise indicates non-existence of the queried name, such as an RFC 9824 Compact Denial response containing the NXNAME type in the relevant NSEC bitmap.

Notes
-----
RFC 9824 (Compact Denial of Existence in DNSSEC) is a Proposed Standard that defines a way to reduce the size and signing cost of DNSSEC denial-of-existence responses. For a non-existent name, Compact Denial can return a NODATA-shaped response, i.e. RCODE=NOERROR with an empty Answer section, while signalling non-existence using the NXNAME RR type (TYPE128) in the NSEC/NSEC3 type bitmap.

RFC 9989 describes non-existent domains only in terms of NXDOMAIN. This is incomplete for DNSSEC-validated responses from zones using RFC 9824 Compact Denial. A receiver that only treats RCODE=NXDOMAIN as proof of non-existence may fail to recognize an RFC 9824 NXNAME denial proof and may therefore fail to apply the DMARC np= policy for a non-existent Author Domain.

Instructions:
-------------
This erratum is currently posted as "Reported". Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--------------------------------------
RFC9989 (draft-ietf-dmarc-dmarcbis)
--------------------------------------
Title               : Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
Publication Date    : May 2026
Author(s)           : T. Herr, Ed., J. Levine, Ed.
Category            : Proposed Standard
Source              : dmarc (art)
Stream              : IETF
Verifying Party     : IESG