IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 02:48 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572DD3A1210 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8QI7omJMdhPX for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:48:41 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 983D33A120A for <behave@ietf.org>; Sun, 6 Feb 2022 18:48:40 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 8E59D240026 for <behave@ietf.org>; Mon, 7 Feb 2022 03:48:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644202117; bh=lBlajeFNAH70wvT/HgiYtIV3oX+0lXuXqnS6gUPKVSc=; h=Date:Subject:To:From:From; b=DXuUrhrrpiDGWvix2yEh82Rm7pHZQCJ70XTLfHPsmIv+kWexvMsDdmCcyFhoUF44r pxh2U/23Pdj4tML1GtFXOsyH2EbH0BOvjJIryVB0pxKX5cBzCHd3QA62j6Lqc4vZIr PGCLs6qYctoXifKeDuyekxpfIz5R9vhAMm0SZGbLEAh5/pMHQKKF7q1XAJydZdseEM FDfj00nDRQEt7HRLokNQasvPQwQKE7VRlnT3/CR+5dvV0Rnp4ui7XYpnQgduoGagpo ++lTwFE8FNPDtqHGoQ6OeFN/kgP+lGisTGZfaUeCHr0/iZvFXwe/JUyxdAsLY1Tpn2 Ud0UzE7du35+w==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsVvR6cfLz9rxK; Mon, 7 Feb 2022 03:48:35 +0100 (CET)
Message-ID: <a4dbfa8c-abb4-e4e7-e53c-d7f54a2e5bf9@posteo.de>
Date: Mon, 07 Feb 2022 02:48:34 +0000
MIME-Version: 1.0
Content-Language: en-US
To: Christian Huitema <huitema@huitema.net>, Keith Moore <moore@network-heretics.com>, behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com> <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net> <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de> <0d18c171-f713-4590-d9a6-3c5729a3384c@huitema.net>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <0d18c171-f713-4590-d9a6-3c5729a3384c@huitema.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010600090102050107070107"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/BIPLd9b7LkNrzkWimoDKPOOucaY>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:48:48 -0000

The DNS64 server could be this secure DNS. Also for providers (esp. 
cloud providers) that want to deploy provider level NAT64 support and 
provide a DNS64 server to allow customers to build ipv6 only networks 
(with additional IPv4aaS) would also benefit from this. Also the noted 
"smtp server and DNS may not be under the same management" is also one 
of the reasons why it should be within DNS64. It is fair to assume that 
when providing a DNS64 service that all parties would assume full 
rewrite of the DNS to support the NAT64. But with SPF being the only 
standard that writes IPv4 addresses into the DNS that is currently *NOT* 
rewritten and by the RFC also stating that "*All other RRs MUST be 
returned unchanged*" it also prevents anyone that want to follow the RFC 
from rewriting the SPF themselves.

On 2022-02-07 03:30, Christian Huitema wrote:
> On 2/6/2022 6:20 PM, Klaus Frank wrote:
>
>> You left out the other half of Section 6.2 where it says:
>>
>>    Alternatively,
>>    the validating host may establish a trusted connection with a DNS64,
>>    and allow the DNS64 recursive resolver to do all validation on its
>>    behalf.
>>
>> Which is allowing the DNS64 server to rewrite the SPF record... 
>
> Yes, but doing that requires updating the code on the DNS64 server, 
> which may or may not be under the same management as the SMTP server. 
> The DNS64 update would  also will still break if the SMTP server is 
> configured to access a secure DNS server using encrypted DNS -- DoH, 
> DoT or DoQ. Turns out that "use encrypted DNS" is one of the 
> recommendations pushed for network security, because it prevents DNS 
> spoofing and DNS monitoring attacks. Overall, it is probably easier 
> and more robust to deploy a change in the SMTP servers.
>
> -- Christian Huitema
>

v2.23.0 | Report a Bug | By Email