Why DMARC's new "NP" tag can fail with DNSSEC
4 hours ago
- #DMARC
- #Cybersecurity
- #DNSSEC
- DMARC's new np tag (non-existent subdomain policy) was introduced in RFC 9989 to apply policies to non-existent subdomains.
- RFC 9989 defines non-existent domains by NXDOMAIN response code, but RFC 9824 (Compact Denial of Existence in DNSSEC) uses NOERROR with NXNAME bit for DNSSEC, causing a clash.
- Many DNS providers (e.g., Cloudflare, AWS Route 53) use compact denial, so NXDOMAIN is often not returned, leading np tag failures in DMARC implementations.
- DMARC implementations typically check for NXDOMAIN strictly and don't support DNSSEC or NXNAME bit, so np tag may not work for DNSSEC-signed domains.
- IETF discussions haven't resolved the issue; solutions include DMARC software checking NXNAME or wider adoption of NXDOMAIN restoration via CO flag.
- Domain owners should assume np tag may not work reliably, especially with DNSSEC and major DNS providers using compact denial.