IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

marcelo bagnulo braun <marcelo@it.uc3m.es> Mon, 07 February 2022 06:35 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F813A005F for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 22:35:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.713
X-Spam-Level:
X-Spam-Status: No, score=-2.713 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=it.uc3m.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oPp-LfzXQpRv for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 22:35:03 -0800 (PST)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B20073A0062 for <behave@ietf.org>; Sun, 6 Feb 2022 22:34:57 -0800 (PST)
Received: by mail-ej1-x62c.google.com with SMTP id ka4so38853130ejc.11 for <behave@ietf.org>; Sun, 06 Feb 2022 22:34:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=it.uc3m.es; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=ONaDycxUw4q+0w9dinaeaBw4X+4pO1DI6QHl9r7E2dA=; b=eiVTSi/ZwO96RS9N8/hIqKMgjN2ZB4911hQk5yqB3So6tfwD4puOSF2EOJlWU8lhYb vMx4u2uqireEVFNgGOFnsOyOsHFvhoBfhvCtqUB0IlGR5/qYk7lrbZImYFkBI9FUE+Zo 31joImrqQ6L2G71hNRzKMSOE1T8CeTpWy91PcOtQwY5dKYcgb4s1MlS07H2uiEKELV5i NE33NGVxGnBX5TF5LN8NZcYujvEEe872e0GvyjowgdLb0QGQN+X+hcbeu5T9IHYz1R/B m32MqCkndBY9YXplyvipRzi34DvbA1tXrXm9IZ83ypY/k6fdzWKkvxrfdbTxAnlFVUxy Z3xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=ONaDycxUw4q+0w9dinaeaBw4X+4pO1DI6QHl9r7E2dA=; b=zaj0Mgu4iiFBJOUzLvJPAIsTfivz9E6mut/hckM8XaY2fweM5L13bqMEZ3/suCoQ70 8mSBakfdhwuINh1uSph1lmNniecCTPsPvcdgxO/tXZXGSoaX2NVjgg8Vj1MpLBG7XcyR w+Ka62zlMgBYS+1oJ8+r+0c2bGmR5U05LSM7K/5oJSaCL2pwLdgTg+o4ggbDEmzettc4 0uhm6ri2tlxJpMLQsc5eRifFyiG2T7zCJb5iJ2/hwtc7Q4wV2JbSpuGmarHj0RXt1NKH j4XIrHp5tCS6gx19cBe02axZX2RzP8+yWl2ZPYqzWYvSyFgO9t+Lz/+BepLYF4hHCTeR 5jEw==
X-Gm-Message-State: AOAM530pXN3WdAXP/jBjTcOipjswJh8/DBhf4Gdi28en3weHPWub1B8B +1Eh50XbvuQ6pkXreOJw7q6oSbA+/TSAHi2P
X-Google-Smtp-Source: ABdhPJyqt5G8GfdGpIkKjaZY64CqUifQ1UNQcOusbH5JloJ2anfSgIxgohYoferLbgSUqV8OXn1lpw==
X-Received: by 2002:a17:907:6da6:: with SMTP id sb38mr8848825ejc.58.1644215693599; Sun, 06 Feb 2022 22:34:53 -0800 (PST)
Received: from [10.118.28.105] ([163.117.64.17]) by smtp.gmail.com with ESMTPSA id fw6sm2048538ejc.143.2022.02.06.22.34.52 for <behave@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Feb 2022 22:34:53 -0800 (PST)
Message-ID: <50b919ba-22e5-cfd0-5e44-b905d42c50b7@it.uc3m.es>
Date: Mon, 07 Feb 2022 07:34:52 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-GB
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com> <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net> <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de> <0d18c171-f713-4590-d9a6-3c5729a3384c@huitema.net> <a4dbfa8c-abb4-e4e7-e53c-d7f54a2e5bf9@posteo.de>
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
In-Reply-To: <a4dbfa8c-abb4-e4e7-e53c-d7f54a2e5bf9@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/PyVkfNd0O6yL0HhLaXkFA7z1_iY>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 06:35:10 -0000

El 7/2/22 a las 3:48, Klaus Frank escribió:
> The DNS64 server could be this secure DNS.

This would consistent with the deployment scenario presented in section 
7.1 of RFC6147.

Regards, marcelo





> Also for providers (esp. cloud providers) that want to deploy provider 
> level NAT64 support and provide a DNS64 server to allow customers to 
> build ipv6 only networks (with additional IPv4aaS) would also benefit 
> from this. Also the noted "smtp server and DNS may not be under the 
> same management" is also one of the reasons why it should be within 
> DNS64. It is fair to assume that when providing a DNS64 service that 
> all parties would assume full rewrite of the DNS to support the NAT64. 
> But with SPF being the only standard that writes IPv4 addresses into 
> the DNS that is currently *NOT* rewritten and by the RFC also stating 
> that "*All other RRs MUST be returned unchanged*" it also prevents 
> anyone that want to follow the RFC from rewriting the SPF themselves.
>
> On 2022-02-07 03:30, Christian Huitema wrote:
>> On 2/6/2022 6:20 PM, Klaus Frank wrote:
>>
>>> You left out the other half of Section 6.2 where it says:
>>>
>>>    Alternatively,
>>>    the validating host may establish a trusted connection with a DNS64,
>>>    and allow the DNS64 recursive resolver to do all validation on its
>>>    behalf.
>>>
>>> Which is allowing the DNS64 server to rewrite the SPF record... 
>>
>> Yes, but doing that requires updating the code on the DNS64 server, 
>> which may or may not be under the same management as the SMTP server. 
>> The DNS64 update would  also will still break if the SMTP server is 
>> configured to access a secure DNS server using encrypted DNS -- DoH, 
>> DoT or DoQ. Turns out that "use encrypted DNS" is one of the 
>> recommendations pushed for network security, because it prevents DNS 
>> spoofing and DNS monitoring attacks. Overall, it is probably easier 
>> and more robust to deploy a change in the SMTP servers.
>>
>> -- Christian Huitema
>>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email