[dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)
Matteo Contrini <matteo@dmarcwise.io> Tue, 09 June 2026 16:19 UTC
Return-Path: <matteo@dmarcwise.io>
X-Original-To: dmarc@mail2.ietf.org
Delivered-To: dmarc@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3EA84FE25AC8 for <dmarc@mail2.ietf.org>; Tue, 9 Jun 2026 09:19:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781021943; bh=ZPEyE3gdbE/Uq1Q2ZrfKWLY/2BFrXleoDRqcA4/EPv0=; h=Date:Subject:To:References:From:In-Reply-To; b=hjl0gsdAhD/gXfuBTW0uOCoyeuH+wc9h3c5V2cZW/51HLeWRuA0RWO2NR4d7p+4N9 r9sIiWV10o2MhySD/aiDmAMRUUrTGZyrdkJpxNNg1nOaqGwR7sVBQJGqcMgEGmMHzy kmsHaKsF9fmT+Ot4HnsdS3RcXgoOT//7jFZi5Q+A=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dmarcwise.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUqeHD9jOm_r for <dmarc@mail2.ietf.org>; Tue, 9 Jun 2026 09:19:01 -0700 (PDT)
Received: from smtp02.cbsolt.net (smtp02.cbsolt.net [185.97.217.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 16477FE25ABF for <dmarc@ietf.org>; Tue, 9 Jun 2026 09:19:00 -0700 (PDT)
Received: from [192.168.1.173] (u-6k-84-247-221.4bone.mynet.it [84.247.221.203]) by smtp02.cbsolt.net (Postfix) with ESMTPSA id 4gZYxp0YkCz3x91 for <dmarc@ietf.org>; Tue, 9 Jun 2026 18:18:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcwise.io; s=qbm2506238790; t=1781021934; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hQEdg76uMSAlxFR2zu5T++dBbTjUh+geT70IynkBN6k=; b=P+s7/qIHLQ+OE0Sgidk7w+IoRDr/iSxdMxyA0eIWU7VVspMvVLkI3UlmurGAT9xfltL/+R 0lGKvOFMgLSWs7HNRO+XvD9R7lennvGo77WAZ/Sy+jL2enzpreS1Xx5PNo692WK9ARlGTj fpGHQtX56uiAjQ/ZRgN+BOqeXKBdc+o=
Content-Type: multipart/alternative; boundary="------------wSLAdOIne8EBaHb3jj5GeYvm"
Message-ID: <e061c544-9403-45f2-873f-2e394a26a8d6@dmarcwise.io>
Date: Tue, 09 Jun 2026 18:18:53 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: it
To: dmarc@ietf.org
References: <1b793e75-1409-4344-bf3b-0f59bacb2591@dmarcwise.io> <CAK2M3FCv+imtUnFOcLyKhssGXE41mgLv0heDWVwuFqtgBXdDew@mail.gmail.com>
From: Matteo Contrini <matteo@dmarcwise.io>
In-Reply-To: <CAK2M3FCv+imtUnFOcLyKhssGXE41mgLv0heDWVwuFqtgBXdDew@mail.gmail.com>
Message-ID-Hash: CJCLECCTKRM6B5UWWSGC44BP5ZLDQEFN
X-Message-ID-Hash: CJCLECCTKRM6B5UWWSGC44BP5ZLDQEFN
X-MailFrom: matteo@dmarcwise.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: Compatibility of "np" tag with RFC 9824 (Compact Denial of Existence in DNSSEC)
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sCU_ROb0orj6ILqFGMlH-P9nRx4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>
Thanks for the answer, Todd. On 09/06/2026 17:17, Todd Herr wrote: > It is unknown, and perhaps unlikely, that an email message with an > RFC5322.From header domain that has neither an MX record nor an A or > AAAA record will even be considered for message acceptance, let alone > DMARC processing. We can agree on that, but the "np" tag was introduced nonetheless, so I suppose it was deemed realistic that a mail receiver reaches the point where the "np" policy is evaluated even with those premises. > That section reads, in part, "a "NODATA" response (rcode "NOERROR") > means that the given RR type queried for does not exist, but the > domain name does." which seems quite consistent with the first > sentence of the Abstract of 9824 - "a technique to generate a signed > DNS response on demand for a nonexistent name by claiming that the > name exists but doesn't have any data for the queried record type" True, but RFC 9824 also provides a way to distinguish between "no data for this RR type" and a non-existent domain name: https://datatracker.ietf.org/doc/html/rfc9824#name-distinguishing-nonexistent- Section 6 also states that: > [...] tools that rely on accurately determining nonexistent names will need to infer them from the presence of the NXNAME RR type in the Type Bit Maps field of the NSEC record in NODATA responses from these servers. > For the hypothetical message with the RFC5322.From domain > subdomain.example.com <http://subdomain.example.com> for which answers > to the following queries are all NODATA: > > * The domain's MX record > * The domain's A or AAAA record > * The TXT record _dmarc.subdomain.example.com > <http://dmarc.subdomain.example.com> (assuming it gets that far) > > Assuming that such a message isn't outright rejected for there being > no MX or A (or AAAA) record, hen we must ask whether such a message > could pass DMARC validation checks or if the DMARC mechanism even applies. > > The DMARC mechanism would apply if example.com <http://example.com> > has published a DMARC policy record (or a subdomain somewhere between > subdomain.example.com <http://subdomain.example.com> and example.com > <http://example.com>, if the tree walk is in effect has published a > DMARC policy record). > > If the DMARC mechanism applies, then standard DMARC validation can > take place, and if the message fails DMARC validation, then the > governing DMARC policy record would apply, with that record's p or sp > tag (if it exists) expressing the domain owner's handling preference. Isn't that precisely the problem here? A domain owner has the expectation that "np" would be used in this case, not "p" or "sp". NXDOMAIN and NSEC NXNAME mean the exact same thing, i.e. that the domain is non-existent, so "np" should apply in both cases. If the DMARC spec, and therefore implementors, don't take this into account, isn't this an interoperability issue, especially now that RFC 9824 is a Proposed Standard with already significant real-world usage (see Cloudflare, NS1, etc.)? I know it's way too late to raise this, but I'm wondering if this can either fit as an erratum or if we can agree it's something the WG should take into consideration in the next DMARC revision (if any, and likely in a decade :-)). > > -- > Todd -- Matteo
- [dmarc-ietf] Compatibility of "np" tag with RFC 9… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Todd Herr
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Todd Herr
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Alessandro Vesely
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Murray S. Kucherawy
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Alessandro Vesely
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Todd Herr
- [dmarc-ietf] Re: Compatibility of "np" tag with R… John R. Levine
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini
- [dmarc-ietf] Re: Compatibility of "np" tag with R… John Levine
- [dmarc-ietf] Re: Compatibility of "np" tag with R… Matteo Contrini