IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Keith Moore <moore@network-heretics.com> Sun, 06 February 2022 22:18 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7045A3A0E48 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 14:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xb25IYcn9WaW for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 14:18:24 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 574F73A0E38 for <behave@ietf.org>; Sun, 6 Feb 2022 14:18:23 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 42B003200A2A for <behave@ietf.org>; Sun, 6 Feb 2022 17:18:22 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 06 Feb 2022 17:18:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=642bZOgiB2x6jSPBGxcAvM2G5N3Fdz32abJK+f0whws=; b=k6hxdiOL aL7y9m3DEYE5WJ9tE5nrz+5mvuo3kTOORlGXQ/pG5c5ay7XQr4mOaLMWGqEdGjRG +kme2uNlKV/aVy2wY1lHMABgQM25xmY0q55pANxnHf92Mcp1ilTno6EhpWlr0hVo Zo3lykExCmutq/cS0D7o4KqTv8CS/A26tP4ZAYkF9Ya5ht7kHTrp091I/8T2BDJA cCLkY3Ox3nNI7W/ZH74mJtR916vzc2mezdHc1hWxyrH7uphCSXk88sRdBAiyYBHG aEjqHFfRSfImxeO9XkfpB2Nh5T2YZ9gSLlUxA18lAdWyKqjZrxwLj8l7EcHjzdfN +Fl9PZ01sVXhlQ==
X-ME-Sender: <xms:LUkAYraXHeVX5ES8mzn0v4VpABS_wDydY3MNHKhQc8m4u8Lp3bCrxw> <xme:LUkAYqY4pRvq9E_78LTX7lGCZcFOXSP2PP1a4qV18LWuIRbolTWnkr3IDJJUsitLj iKsSBJjUitk2w>
X-ME-Received: <xmr:LUkAYt-aplqTeI3XhCv1tyRyLwiojHwaLd1fpLEzhflHSu-ke6YBigO_lEhGj22z0nRaiZaSzjiUeUPQaOcM1k4f4lVP0d1HGbr7nu7XdhqnSlga7uwKIA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheefgdduiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeeftddvleeije evkeejhfeuudehveeihfejfedvgfduhfffhfduuddufeeggfetveenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvghtfihorh hkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:LUkAYhq3i7STn1HJLI9pgAJXhdJuUGDTcfLcLt2bUta8PhezdjG53A> <xmx:LUkAYmoWOvqhnDuklTak7qSyeADaPX4kIavzh_qCYVy9wdMCiWYebw> <xmx:LUkAYnRjfdEnuEEaJZ6mIVX0CaGdEUpKvJkDDwCHrUtYD7nIc8wH6Q> <xmx:LUkAYj0DqW3UuxG0a0hjKSHyV4qME6EKQY2Tw3nmkv8cWQ0Q5CPHNw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <behave@ietf.org>; Sun, 6 Feb 2022 17:18:21 -0500 (EST)
Message-ID: <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com>
Date: Sun, 06 Feb 2022 17:18:20 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de>
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/cqRRU5Z83oyERDYEhbYitEaUUjw>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Feb 2022 22:18:30 -0000

On 2/6/22 13:09, Klaus Frank wrote:

> Hi,
>
> we had some issues with SPF and a mail server that was behind 
> NAT64+DNS64. I at first thought that it was just a misconfiguration. 
> But after the DNS64 server seamed to work as intended I went to the 
> implementation and the RFC. Thereby while reading RFC6147 I stumbled 
> across section 5.3.3 which says "All other RRs MUST be returned 
> unchanged." which is the cause of my issues. This section is basically 
> ignoring SPF records (RFC7208 section 5.6) and also preventing DNS64 
> implementations from addressing this limitation.
>
> Would it be possible to create an extension to RFC6147 that mandates 
> SPF record rewrites as well? Otherwise Mail servers behind NAT64+DNS64 
> in IPv6 only environments won't be able to work as expected.
>
> Like:
> If the DNS64 server receives a SPF-record (within either the TXT-RR or 
> the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST rewrites 
> the ipv4 address according to the same rules as A-records are and 
> synthesizes a new SPF record within the response that contains 
> additional "ip6" entries. The original "ip4" should not be removed 
> from the response.

PLEASE do not try to make DNS reflect any more NAT alterations to 
reality.  That was ALWAYS a Bad Idea.   If you're going to operate 
application servers behind any kind of NAT, what you need to do is 
arrange for those application servers to somehow get a view of the 
external/global addresses that they're communicating with, even if the 
source IP addresses that they see aren't the real ones.  (If NATs had 
been done "right" there would be an API for this, supported by all 
NATs.   But that ship sailed decades ago.)

More generally, NAT is inherently unfixable, and trying to fix it can 
only result in infinitely growing complexity and brokenness. It's the 
usual problem with telling lies: every lie you tell needs N additional 
lies to cover up the earlier lies and so on recursively.

(also, relying on SPF records is ill-advised, as they're too likely to 
be out-of-sync with reality even without NATs in the picture. )

Keith

v2.23.0 | Report a Bug | By Email