IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 07 February 2022 23:25 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E374D3A0EE0 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 15:25:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=mzYazkgX; dkim=pass (1024-bit key) header.d=yitter.info header.b=eZGE2RFP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15EPitz10Tg3 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 15:25:10 -0800 (PST)
Received: from mx5.yitter.info (mx5.yitter.info [159.203.31.152]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECF7A3A0E71 for <behave@ietf.org>; Mon, 7 Feb 2022 15:25:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx5.yitter.info (Postfix) with ESMTP id 7ED0CBD5C8 for <behave@ietf.org>; Mon, 7 Feb 2022 23:24:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1644276278; bh=MLtSXgKeLGP8YOUvi6waiHfpb4aOUD0qCk9o4zUHYY8=; h=Date:From:To:Subject:References:In-Reply-To:From; b=mzYazkgXG/tYUvHGVan+FXM5+cw6ARuaY/+2BcRMXY68086X+o96eu99lgXESd6lq udMN4Ww7SL4arJXtnIytQWtyAVZSp5OZkHjwByP912MCCC6JcDNM5twutGAx32MBlD 9PzTAthxAYZzGX8PnpIYf5mB9ShjLR4/Vi5WoanU=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx5.yitter.info ([127.0.0.1]) by localhost (mx5.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uqv0sjjMo9nL for <behave@ietf.org>; Mon, 7 Feb 2022 23:24:37 +0000 (UTC)
Date: Mon, 07 Feb 2022 18:24:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1644276277; bh=MLtSXgKeLGP8YOUvi6waiHfpb4aOUD0qCk9o4zUHYY8=; h=Date:From:To:Subject:References:In-Reply-To:From; b=eZGE2RFPLu5LnHu/bB7utbqAH/XJMyA/0+OMXB1eYAuhCq5UPpysmCd9VbZcUNl// qBbWIT4chwdj8SjHads9700YqntUVoiSIYa1CE2KdXN3zIt9jzAniyOHphL6pTKZeZ 2k7d/Zq5zFyv5q2FGI4AE/ID0YNkXfB4D8u2uET8=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: behave@ietf.org
Message-ID: <20220207232434.4xrcdmhm3kwwhytu@crankycanuck.ca>
Mail-Followup-To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <22B55BB2-3854-4152-BBD5-900B169B9173@virtualized.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <22B55BB2-3854-4152-BBD5-900B169B9173@virtualized.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/H6bZvtrsetFEA9y0jdwycjquPaY>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:25:15 -0000

Hi,

On Mon, Feb 07, 2022 at 10:37:28AM -0800, David Conrad wrote:
>
>Yes, IPv4 addresses (or what may look like IPv4 addresses) can exist in TXT records arbitrarily, however, IIRC, SPF TXT records are fairly tightly constrained to start with “v=spf1 …” and the content of interest here must be prefixed with “ipv4: “.  Given this, I’d imagine it’d be pretty straight forward for DNS64 to find the relevant IPv4 addresses to do whatever transforms are necessary, leaving other IPv4 addresses embedded in TXT RRs as Someone Else’s Problem (if encountered).
>

I think I pointed this out on the other list, but there's a difference in kind between the two cases.

For A and PTR records, a DNS64 knows that it has work to do because the datatype tells you so.  Part of the problem in SPF's case is that it uses TXT, which can contain any arbitrary text.  So, this means that _at the very least_ the DNS64 needs to parse some part of the RDATA before it can decide whether it needs to act.  It's a different model, and there is no reason to suppose that the code path that relies on strongly-typed data will work well for data that is effectively untyped.

Moreover, I think it is really weird to suggest that DNS64 is going to start picking and choosing when it's going to fiddle with the IP literals in the RDATA it is dealing with.  If DNS64 is supposed to fix up IPv4 literals in TXT records when SPF is working, it will be entirely natural for people to generalize that to "DNS64 alters IPv4 literals in TXT records" rather than "DNS64 alters IPv4 literals in TXT records where the RDATA starts "v-spf1…."  Then there will be a new surprise when it works for SPF but not for some other case where an IP literal is in a TXT record (which might not, of course, even be aa standard).

When we made DNS64, the DNSSEC handling depended on the idea that, if you're planning to do validation yourself, you'd need to do DNS64 yourself too; and if you couldn't, it would break.  I think this is sort of an analagous case: if you need to handle IP literals inside DNS data that is not designed to carry such literals, then you're going to need to be aware of how to handle such literals.  That argues for making the SPF processor DNS64 aware for cases when it's going to be used behind DNS64.  DNS64 was always kinda brittle; this is just another example of it.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email