« All posts

DMARC'ın yeni np etiketi DNSSEC ile çakışıyor

RFC 9989'daki DMARC np etiketi, DNSSEC'in RFC 9824 kompakt yokluk kanıtlama mekanizmasıyla çelişiyor; Cloudflare, AWS ve Azure gibi sağlayıcılar etkileniyor.

The updated DMARC specification (RFC 9989), published by the IETF in May 2026, introduces a new np tag that lets domain owners set a distinct policy for non-existent subdomains. However, the tag's definition of a 'non-existent domain' conflicts with RFC 9824, the specification for compact denial of existence in DNSSEC. The clash stems from how DNS servers prove non-existence: standard DNS relies on NXDOMAIN responses, but DNSSEC must cryptographically sign that absence using NSEC or NSEC3 records, and compact denial-of-existence methods handle this differently.

As a result, domains using DNSSEC with major providers such as Cloudflare, NS1, AWS Route 53, and Azure may find that the np tag doesn't behave as intended, since receivers can't reliably confirm a subdomain truly doesn't exist. The researchers who found the issue reported it to the IETF working group responsible for DMARC; the problem was acknowledged, but no fix has been agreed upon yet.

While DNSSEC adoption remains limited, this incompatibility is directly relevant to email security and anti-spoofing defenses. For engineers building DNS and email infrastructure, it's a concrete case study in how two IETF standards, each reasonable on their own, can produce unexpected interactions when their underlying assumptions diverge.