Hasty Briefsbeta

Bilingual

Why DMARC's new "NP" tag can fail with DNSSEC

4 hours ago
  • #DMARC
  • #Cybersecurity
  • #DNSSEC
  • DMARC's new np tag (non-existent subdomain policy) was introduced in RFC 9989 to apply policies to non-existent subdomains.
  • RFC 9989 defines non-existent domains by NXDOMAIN response code, but RFC 9824 (Compact Denial of Existence in DNSSEC) uses NOERROR with NXNAME bit for DNSSEC, causing a clash.
  • Many DNS providers (e.g., Cloudflare, AWS Route 53) use compact denial, so NXDOMAIN is often not returned, leading np tag failures in DMARC implementations.
  • DMARC implementations typically check for NXDOMAIN strictly and don't support DNSSEC or NXNAME bit, so np tag may not work for DNSSEC-signed domains.
  • IETF discussions haven't resolved the issue; solutions include DMARC software checking NXNAME or wider adoption of NXDOMAIN restoration via CO flag.
  • Domain owners should assume np tag may not work reliably, especially with DNSSEC and major DNS providers using compact denial.