IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Keith Moore <moore@network-heretics.com> Mon, 07 February 2022 23:30 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847AA3A0EB2 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 15:30:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edEKOyyxOuWZ for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 15:30:05 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29DE83A0ECD for <behave@ietf.org>; Mon, 7 Feb 2022 15:30:04 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 605D95C0193 for <behave@ietf.org>; Mon, 7 Feb 2022 18:30:03 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 07 Feb 2022 18:30:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=6q4nySBr+7mFSPdIcAYfZ/KvyUoxkBtUvsZdDWqO/88=; b=F0ilqiZg 1LZGYNSF5bO5kDu2k6ur1NRJahfImhmH3WMTueeLUSG9hy8ez6gFIqotfiHAEK+x 0+FXujv7chcjrkyib4OA5xCluZLhYGkIfW8KHds9RaVE5I7tnsLW0SED2N1lc2Hq SggiLB8htDU1K2B49AA+yhz7Vq6E3f3whWSmTLHxhagYP1prFJSlJGGzCOJTe66N AhMn8xZ7v3PUWa7cwDcwNytKKj3vjlvT100vuAC9HWqUj7bKi0vggEkpAPZHJIJI IPXbn8AXulkl/80iLwHNw00NYh9FHI7f3XVw2AzMsTksNiEUtwin9kHSY2Pinioo 2JH3VAyNSI5oiA==
X-ME-Sender: <xms:e6sBYrQhfM_KfPK3SH1Okg4fm_NkLPvE7mw_mbIjQUOiFsu-mZP4qA> <xme:e6sBYswtCFBbrJyBYInsOgpDXxwjYr_TyHqhXkH39DdHGrCikBl2VGZxBb4KibOJS SzU6Atsvp93zw>
X-ME-Received: <xmr:e6sBYg0gEYRvmuaSapQllb8cUxH-9k0LYPs9pPbrvXoYcFMx0KIIyVO6uTSoq-1gkv2lpWwCbwgv0uUTOMxORILJiM5IRUGqCGqF>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheeigddtlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfuffvfhfhjggtgfesthekre dttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepfedtvdelieejve ekjefhueduheeviefhjeefvdfgudfhfffhudduudefgefgteevnecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkh dqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:e6sBYrC_9bTbvYgN8OJzksIfluWbcrfHVApR8jb78EKgHipiOiRTPw> <xmx:e6sBYkiCXmlv_n43QXLLRwoU15u_ijwqCaeItGBivXhE_6ByYHpmcQ> <xmx:e6sBYvrEkNF1ooH4WWMnkHQP74Jyep4Q4RHNiMSqKuavs2bcX7jP3w> <xmx:e6sBYvuOQw9V_NSsJMz3nYauKokm1RO5-lpEZKCLpoaII85T3APD-Q>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <behave@ietf.org>; Mon, 7 Feb 2022 18:30:02 -0500 (EST)
Message-ID: <950d6a73-4747-ba08-3cf1-438d8b8eb7a9@network-heretics.com>
Date: Mon, 07 Feb 2022 18:30:02 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <22B55BB2-3854-4152-BBD5-900B169B9173@virtualized.org> <20220207232434.4xrcdmhm3kwwhytu@crankycanuck.ca>
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <20220207232434.4xrcdmhm3kwwhytu@crankycanuck.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/_bC0Ceh-oMOCWiyKibSe4QviucI>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:30:10 -0000

On 2/7/22 18:24, Andrew Sullivan wrote:
>
> I think I pointed this out on the other list, but there's a difference 
> in kind between the two cases.
>
> For A and PTR records, a DNS64 knows that it has work to do because 
> the datatype tells you so.  Part of the problem in SPF's case is that 
> it uses TXT, which can contain any arbitrary text. So, this means that 
> _at the very least_ the DNS64 needs to parse some part of the RDATA 
> before it can decide whether it needs to act.  It's a different model, 
> and there is no reason to suppose that the code path that relies on 
> strongly-typed data will work well for data that is effectively untyped.
>
> Moreover, I think it is really weird to suggest that DNS64 is going to 
> start picking and choosing when it's going to fiddle with the IP 
> literals in the RDATA it is dealing with.  If DNS64 is supposed to fix 
> up IPv4 literals in TXT records when SPF is working, it will be 
> entirely natural for people to generalize that to "DNS64 alters IPv4 
> literals in TXT records" rather than "DNS64 alters IPv4 literals in 
> TXT records where the RDATA starts "v-spf1…."  Then there will be a 
> new surprise when it works for SPF but not for some other case where 
> an IP literal is in a TXT record (which might not, of course, even be 
> aa standard).
>
> When we made DNS64, the DNSSEC handling depended on the idea that, if 
> you're planning to do validation yourself, you'd need to do DNS64 
> yourself too; and if you couldn't, it would break.  I think this is 
> sort of an analagous case: if you need to handle IP literals inside 
> DNS data that is not designed to carry such literals, then you're 
> going to need to be aware of how to handle such literals.  That argues 
> for making the SPF processor DNS64 aware for cases when it's going to 
> be used behind DNS64.  DNS64 was always kinda brittle; this is just 
> another example of it. 

+1

v2.23.0 | Report a Bug | By Email