| ▲ | Why DMARC's new "NP" tag can fail with DNSSEC(dmarcwise.io) | |
| 12 points by matteocontrini 3 hours ago | 1 comments | ||
| ▲ | pocksuppet 12 minutes ago | parent [-] | |
Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn't exist don't apply. tptacek incoming in 3...2...1... | ||