IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 00:38 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35E663A107C for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 16:38:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNSTQcFUdIIn for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 16:38:52 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA03B3A1070 for <behave@ietf.org>; Sun, 6 Feb 2022 16:38:51 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id C83A8240026 for <behave@ietf.org>; Mon, 7 Feb 2022 01:38:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644194326; bh=6V1XEyTl+t/kph17ghU+8jVp09zt73p0t6nQUqkOeVA=; h=Date:Subject:To:From:From; b=dcYyTkI4/QN6jnLxHKbeIdQ8bK7HZrXQ2qBaIZDxhIGPmRjEmzzPVel4MI1YMzXFj /dz6TLSJSTcR0Y40bd7W/Eet3YvTzYp4DJK4zxdYPHIgh+GeGJQXUmKfBP0FR4z2G3 akyOtIWwqr4mu/wUC+LMxgaoxRcHxUMvhZlAXEUFg8aQXGDINVukGDm/fCh2DXXcHI boXUfua4zljjpCbhgdfFVEj1PyeeR7apT5aIynTI0F1lDynPdTtRhLC7jSTkPkh5FF pkBG72RVJAnOzSw+HJj9cZZ3kmaD2jXCLWqe0vcY5ll8JvsIpCxBOyev8G5Sfjk2PD 4D3lLyGjjCzGQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsS1d4xySz9rxD for <behave@ietf.org>; Mon, 7 Feb 2022 01:38:45 +0100 (CET)
Message-ID: <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de>
Date: Mon, 07 Feb 2022 00:38:43 +0000
MIME-Version: 1.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080009040806000907090103"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/VCydQX930mgZuhZ12TZ5l0oRtDE>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 00:38:58 -0000

Hi,

I can understand you. I also don't like NAT. And I would also have 
favored different migration paths from IPv4 to IPv6. But NAT64+DNS64 is 
the one we got. I'm sure there have been discussions earlier. I didn't 
want to resume or repeat those discussions. I'm certain there are valid 
reasons for why we have the current migration paths and that the pros 
and cons of different strategies have been covered adequately.

Nonetheless DNS64 is incomplete without also addressing the SPF record.

On 2022-02-06 23:18, Keith Moore wrote:
> On 2/6/22 13:09, Klaus Frank wrote:
>
>> Hi,
>>
>> we had some issues with SPF and a mail server that was behind 
>> NAT64+DNS64. I at first thought that it was just a misconfiguration. 
>> But after the DNS64 server seamed to work as intended I went to the 
>> implementation and the RFC. Thereby while reading RFC6147 I stumbled 
>> across section 5.3.3 which says "All other RRs MUST be returned 
>> unchanged." which is the cause of my issues. This section is 
>> basically ignoring SPF records (RFC7208 section 5.6) and also 
>> preventing DNS64 implementations from addressing this limitation.
>>
>> Would it be possible to create an extension to RFC6147 that mandates 
>> SPF record rewrites as well? Otherwise Mail servers behind 
>> NAT64+DNS64 in IPv6 only environments won't be able to work as expected.
>>
>> Like:
>> If the DNS64 server receives a SPF-record (within either the TXT-RR 
>> or the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST 
>> rewrites the ipv4 address according to the same rules as A-records 
>> are and synthesizes a new SPF record within the response that 
>> contains additional "ip6" entries. The original "ip4" should not be 
>> removed from the response.
>
> PLEASE do not try to make DNS reflect any more NAT alterations to 
> reality.  That was ALWAYS a Bad Idea.   If you're going to operate 
> application servers behind any kind of NAT, what you need to do is 
> arrange for those application servers to somehow get a view of the 
> external/global addresses that they're communicating with, even if the 
> source IP addresses that they see aren't the real ones.  (If NATs had 
> been done "right" there would be an API for this, supported by all 
> NATs.   But that ship sailed decades ago.)
>
> More generally, NAT is inherently unfixable, and trying to fix it can 
> only result in infinitely growing complexity and brokenness. It's the 
> usual problem with telling lies: every lie you tell needs N additional 
> lies to cover up the earlier lies and so on recursively.
>
> (also, relying on SPF records is ill-advised, as they're too likely to 
> be out-of-sync with reality even without NATs in the picture. )
>
> Keith
>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email