Discussion summary

Discussions focus on the issues with DMARC's new 'NP' tag and DNSSEC, highlighting problems with DNS provider implementations and DNS record handling.

What the discussion says

  • Some argue the 'NP' tag semantics are misguided.
  • DNS providers like Cloudflare may return incorrect data to optimize responses.
  • There is concern about DNSSEC signatures and their impact on DNS responses.
  • The mismatch between DNS standards and provider implementations is problematic.
The new 'NP' feature’s semantics are misguided.
amluto
Many DNS providers return incorrect data to avoid switching to TCP.
pocksuppet

Comments

Hacker News

While nothing good can be said about the design of DNSSEC here, it seems to me that the new np feature’s semantics are also misguided. I get it: if I own company.com and I’m not using foo.company.com, then maybe I should set np=reject on company.com’s DMARC rule so that no one can spoof email from it.

But it seems odd that www.company.com should be considered present for this purpose even if it has no MX records. And if I want to send from noreply.company.com, then setting some unrelated DNS record type there to prevent it from being not “not present” seems like a giant kludge.

And lots of domains have subdomains that are intended for some non-email purpose (api.company.com or whatever), and those shouldn’t be allowed without further policy. Nor should (technically invalid for SMTP but maybe allowed anyway) delights like _dmarc.company.com itself.

Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?

by amluto

> Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?

MX implies a domain can receive email, you don't need it to send email. A setup where company.example sends email from companymailings.example but sets a reply-to for support@company.example is perfectly valid (even if it's stupid and confusing). Plus there's that weird legacy behaviour of mail servers delivering to port 25 to the IP in the A record if MX records are missing.

by jeroenhd

> Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?

That doesn't match the SMTP spec, RFC 5321 says

> If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.

https://www.rfc-editor.org/rfc/rfc5321.html#section-5

by toast0

> Finally, one aspect to consider is that many mail servers reject mail when the Envelope From domain has no MX or A/AAAA records. When the Envelope From domain and From domain are identical, this may reduce the number of relevant cases. The np tag was nonetheless introduced, so it was probably deemed realistic that a mail receiver reaches the point where the np policy is evaluated.

In practice DMARC verifiers can/will do the same for checking ‘non-existent’ subdomain. Query A/AAAA/MX and if no usable answers are given, the subdomain does not exist. Who cares if it is NXDOMAIN or NODATA.

by winstonwinston

Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn't exist don't apply.

tptacek incoming in 3...2...1...

by pocksuppet

> A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer

This seems like a major design flaw in DNSSEC, if so.

(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)

by woodruffw

At the time it was well known that messing around with NXDOMAIN would cause problems. But some companies wanted to do it anyhow.

The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.

by phicoh

> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.

I feel like we need the angry goose meme here.

"But why are those providers returning incorrect data?"

by growse

Join the discussion

Write your take first — we'll ask for email only when you're ready to publish.

  • Hacker News
  • While nothing good can be said about the design of DNSSEC here, it seems to me that the new np feature’s semantics are also misguided. I get it: if I own company.com and I’m not using foo.company.com, then maybe I should set np=reject on company.com’s DMARC rule so that no one can spoof email from it.

    But it seems odd that www.company.com should be considered present for this purpose even if it has no MX records. And if I want to send from noreply.company.com, then setting some unrelated DNS record type there to prevent it from being not “not present” seems like a giant kludge.

    And lots of domains have subdomains that are intended for some non-email purpose (api.company.com or whatever), and those shouldn’t be allowed without further policy. Nor should (technically invalid for SMTP but maybe allowed anyway) delights like _dmarc.company.com itself.

    Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?

    by amluto
  • by gjvc
  • > Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?

    MX implies a domain can receive email, you don't need it to send email. A setup where company.example sends email from companymailings.example but sets a reply-to for support@company.example is perfectly valid (even if it's stupid and confusing). Plus there's that weird legacy behaviour of mail servers delivering to port 25 to the IP in the A record if MX records are missing.

    by jeroenhd
  • > Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?

    That doesn't match the SMTP spec, RFC 5321 says

    > If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.

    https://www.rfc-editor.org/rfc/rfc5321.html#section-5

    by toast0
  • > Finally, one aspect to consider is that many mail servers reject mail when the Envelope From domain has no MX or A/AAAA records. When the Envelope From domain and From domain are identical, this may reduce the number of relevant cases. The np tag was nonetheless introduced, so it was probably deemed realistic that a mail receiver reaches the point where the np policy is evaluated.

    In practice DMARC verifiers can/will do the same for checking ‘non-existent’ subdomain. Query A/AAAA/MX and if no usable answers are given, the subdomain does not exist. Who cares if it is NXDOMAIN or NODATA.

    by winstonwinston
  • Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn't exist don't apply.

    tptacek incoming in 3...2...1...

    by pocksuppet
  • > A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer

    This seems like a major design flaw in DNSSEC, if so.

    (I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)

    by woodruffw
  • At the time it was well known that messing around with NXDOMAIN would cause problems. But some companies wanted to do it anyhow.

    The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.

    by phicoh
  • > Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.

    I feel like we need the angry goose meme here.

    "But why are those providers returning incorrect data?"

    by growse

Related stories