[dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)

Todd Herr <todd@someguyinva.com> Tue, 09 June 2026 15:17 UTC

Return-Path: <todd@someguyinva.com>
X-Original-To: dmarc@mail2.ietf.org
Delivered-To: dmarc@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 56DA2FE1C3F9 for <dmarc@mail2.ietf.org>; Tue, 9 Jun 2026 08:17:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781018274; bh=ncCDin/LjWlI206Vrs5ciPCUkvxXj3mnjpop5RfGG70=; h=References:In-Reply-To:From:Date:Subject:To; b=tv4fFCotErcKGF7DRmOkEc7k0OEHCHWwHGNwajLmLt75GRT0xr5cAlmAWFEq3qzY6 zBjSpRPyvV5xd5gY1vvcC/LrT1IBgs09gmd8+RzPA2Yosg/RmBp8BBGXfbSn1/bi4s jJECWtUIsoXWUt6y7AYNJlhkM4dOTC3lZ5MsG8DE=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=someguyinva.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fAtf7IZksnt for <dmarc@mail2.ietf.org>; Tue, 9 Jun 2026 08:17:53 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9AB28FE1C3F1 for <dmarc@ietf.org>; Tue, 9 Jun 2026 08:17:53 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-68bac6e24fdso7655721a12.1 for <dmarc@ietf.org>; Tue, 09 Jun 2026 08:17:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1781018267; cv=none; d=google.com; s=arc-20240605; b=cUXepdxfEfQcft/634ZlE1H4dh0hegEdWFiKAzDWdQBfzhs9pH2fINxcAkhn55HlYr yBVQsnFxOagb+BntCDk7wyVpK2Td/N6sBDkBwaebOiMgonV4Ej4j+NJv73oyp9wqyLFA k0w4S7PgBod+nCaXWwLc356T5NKs0AQ9UNPeCyKIdZ8kUEYtO27wfOL3yrPTYx6an9z2 nS7MjZHCEDd+NJiTyVQCCFWzuHBWMhgzpfpumuQwszt4NZIEvENPuNrjW5fzUYv/DmtD ++BLmqZHAF8bGKgTFfI2CbZdVAVR4DJvFbJoUPJKqVAPXHv4A7jnJJI0KWdsqs9FWV5D vhfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=WJe67WbSq1L6gp0YKWmcGyWb48zkC5/9V1cmOlD5qaI=; fh=qzFu6PJfTyopW0eWLX9Id157wac766Eef9mM3r9NZZg=; b=JseVG+xg72biMSOFgwr42vOonfGjl9X34TuDirvzloICOciiDNWXwwtXdrc+FCmgN1 ycAHArlo+gz9JWxF2BAHAjqnLH2ozrtzHd4aG0ldYXpvoypAKZTkd7ovpiynhLsmeLft VDSrEra2Np2XbVVFCoPJNDm15Buju+kyHz991eBsqAMmdqNK6W21igmC5LWxkm0VnQCq XEi3FCpAY43rpcCYWUOWXYtwmB/FsrizTsU6HG0PcbYopwR7cGua1wFGdkwvSmBmFhFx ElEaZUubm11kAHzScLqqyQawhtgRjBvHIl79PwyKsgGXb2KOBgyTjFl3GfGlJkPKs21A NRUg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=someguyinva.com; s=k1; t=1781018267; x=1781623067; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=WJe67WbSq1L6gp0YKWmcGyWb48zkC5/9V1cmOlD5qaI=; b=qkVX9bFTlS/sHSTyrU+jVkdXYcQF1RjI1yX9tExtwYDqqMydCHfLPFp2uwk6SrMiQv R5/+udmKDD9kDJsxSH908SjKLhfP2eZxZ7EM8DYXLy6ohewTjFoGHhy3OOv12JL8mmwu 4AfT3q92fLQEV6cxYdrWB/E9lOMvOMcB4XvRH132p1BJ727DN8WDX4iRl+vgcufZBWmL Z+LttRfrcHxoFrJ3B4daisbSL3F3YPkR+Zd3lDv2A2t7Y9y4XyUt3m5oOjgJqRaKSVvA toz9MAXsyYj1vDgBJpkU6DqF/N6Ni2I+0nCt4/UTfsFrfqPSJ0rD6n+m9TuvX95Zb4V+ A4bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781018267; x=1781623067; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WJe67WbSq1L6gp0YKWmcGyWb48zkC5/9V1cmOlD5qaI=; b=MWqrmc71eCf5r8wZmAN1+O5RaWhXWoLUPacvMIvcILdTfR2UYzwy5oo5tkA53LFRK0 mau+3EPc2i7G/sIlXZ0zJsrsAKskgioGDtqMSwoncXvNWfDwDTp9eMGkBYJKTbNqSQc7 5uOKtscwuYGhweyZq9TGmC6BKGzxAq7/B8O3s7BfTjERBiH0Fxw20CqlA73IPANseryb P74OThqi6OyEP9bgA9LtVrZa2gr6sgpIXd8QsSPTBq9VveIiFhnS9qriDBlyMeJhjfz5 eBxWd9jBi5GeA4AO8ny/lkKSsVLDHtPt0grsCS1IO+osU4CnJUk57CXSgVG2j9YYp/k9 Zm6A==
X-Gm-Message-State: AOJu0YxzqNtuBdR2HELIWDqMb49x4Jz6trXsiCnTAtTIKO0BkhTDyJho b6OERKdAEb9W20RKIJqF0LwWNvPR2DhPHlEx+YiRTNsIeBp9aAk72CS5FUuCY/myPiEJIv31IZl 0B6g4a3KbtuSLQWXCDLFemtehniIgoA9QY4dCVD6oQlN7FiOCpCGvLw0=
X-Gm-Gg: Acq92OGUCg1DIezrM5ehNkN2eQL72QOihMAOOs+JVjnjc2O6MrOphqgz8m9wzXwC/YT wkdVaMxTHDRHEZ2uWK6tdah1qth9MIxaUQDXqWpWiJRVyQ1MQxbM7G/4l3DbsZG71iP0GhWChkv ICIpdqAKq+EDSdwMulACDJtIGnwm80X36vWM2K21UN5IXCJctIUBGBBc6rY4/CmQqIQIJkIuSLZ mXr+qlsY9uE4u1W9rJcxRpv2BOg9G9sRUh4LQjeIuxivMRH6uz9Fluatu3Ja2fW4uuJNgc190hN g472zK5NNX2A/JVnWbyehOpWeq0CAWABHWJwDirlXqbV4Z+ZW0s=
X-Received: by 2002:a05:6402:5189:b0:691:b129:6374 with SMTP id 4fb4d7f45d1cf-691b1296f03mr5239283a12.20.1781018266549; Tue, 09 Jun 2026 08:17:46 -0700 (PDT)
MIME-Version: 1.0
References: <1b793e75-1409-4344-bf3b-0f59bacb2591@dmarcwise.io>
In-Reply-To: <1b793e75-1409-4344-bf3b-0f59bacb2591@dmarcwise.io>
From: Todd Herr <todd@someguyinva.com>
Date: Tue, 09 Jun 2026 11:17:35 -0400
X-Gm-Features: AVVi8CeFwgzYpOBhNTioCupmcL1qTCgSh223XWR9-xLeghE9QlraC2JehENOlNc
Message-ID: <CAK2M3FCv+imtUnFOcLyKhssGXE41mgLv0heDWVwuFqtgBXdDew@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001dd7ba0653d3a1ce"
Message-ID-Hash: 5BVHIMZJIYKRUBFMA73LJ5MYOFAHVPXG
X-Message-ID-Hash: 5BVHIMZJIYKRUBFMA73LJ5MYOFAHVPXG
X-MailFrom: todd@someguyinva.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rLTqcnL-utYwn-BB8FvR2VDZ4AI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>

On Tue, Jun 9, 2026 at 10:08 AM Matteo Contrini <matteo=
40dmarcwise.io@dmarc.ietf.org> wrote:

> Hi all,
>
> in RFC 9989, a domain is determined to be non-existent if the response
> code for the DNS query is NXDOMAIN. This definition is used in the "np"
> tag (non-existent subdomain policy).
>
> However, authoritative name servers doing DNSSEC online signing often
> use the so-called "NSEC Black Lies" method, now known as RFC 9824 -
> Compact Denial of Existence in DNSSEC, to authenticate non-existent
> domain responses. Instead of responding with NXDOMAIN and NSEC/NSEC3
> records, they respond with NODATA, an empty answer section, and a single
> NSEC record signaling the pseudo-record type NXNAME.
>
> A DMARC implementation following RFC 9989 would therefore never see
> NXDOMAIN and treat all domains using DNSSEC and Compact Denial of
> Existence as existent, even if they're not. The issue appears to be
> potentially significant since the NSEC Black Lies/Compact Denial of
> Existence method has been used extensively in commercial DNS providers,
> such as Cloudflare (since 2016), NS1 and Bunny DNS.
>
> My question is whether the new "np" tag is therefore to be considered
> incompatible with RFC 9824 - Compact Denial of Existence in DNSSEC, or
> if I missed something. I've looked at previous discussions in this
> mailing list but couldn't find anything relevant. I could only find
> that RFC 9091, which RFC 9989 obsoleted, had a broader non-existent
> definition which also included NODATA.
>
>
It is unknown, and perhaps unlikely, that an email message with an
RFC5322.From header domain that has neither an MX record nor an A or AAAA
record will even be considered for message acceptance, let alone DMARC
processing.

Appendix A.4 of RFC 9989 mentions this and touches on the NODATA response -
https://www.rfc-editor.org/rfc/rfc9989.html#appendix-A.4 - That section
reads, in part, "a "NODATA" response (rcode "NOERROR") means that the given
RR type queried for does not exist, but the domain name does." which seems
quite consistent with the first sentence of the Abstract of 9824 - "a
technique to generate a signed DNS response on demand for a nonexistent
name by claiming that the name exists but doesn't have any data for the
queried record type"

Worth noting too that a tag of "np=reject" does not mean "reject mail from
a non-existent subdomain"; it means "reject mail from a non-existent
subdomain if that message fails DMARC validation"

For the hypothetical message with the RFC5322.From domain
subdomain.example.com for which answers to the following queries are all
NODATA:

   - The domain's MX record
   - The domain's A or AAAA record
   - The TXT record _dmarc.subdomain.example.com (assuming it gets that far)

Assuming that such a message isn't outright rejected for there being no MX
or A (or AAAA) record, hen we must ask whether such a message could pass
DMARC validation checks or if the DMARC mechanism even applies.

The DMARC mechanism would apply if example.com has published a DMARC policy
record (or a subdomain somewhere between subdomain.example.com and
example.com, if the tree walk is in effect has published a DMARC policy
record).

If the DMARC mechanism applies, then standard DMARC validation can take
place, and if the message fails DMARC validation, then the governing DMARC
policy record would apply, with that record's p or sp tag (if it exists)
expressing the domain owner's handling preference.

If a message with an RFC5322.From domain with NODATA responses for its MX,
A, and DMARC policy records passes DMARC, it's up to the receiving site to
determine how to handle the message.

-- 
Todd