Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
Keith Moore <moore@network-heretics.com> Sun, 06 February 2022 22:18 UTC
Return-Path: <moore@network-heretics.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7045A3A0E48 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 14:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xb25IYcn9WaW for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 14:18:24 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 574F73A0E38 for <behave@ietf.org>; Sun, 6 Feb 2022 14:18:23 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 42B003200A2A for <behave@ietf.org>; Sun, 6 Feb 2022 17:18:22 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 06 Feb 2022 17:18:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=642bZOgiB2x6jSPBGxcAvM2G5N3Fdz32abJK+f0whws=; b=k6hxdiOL aL7y9m3DEYE5WJ9tE5nrz+5mvuo3kTOORlGXQ/pG5c5ay7XQr4mOaLMWGqEdGjRG +kme2uNlKV/aVy2wY1lHMABgQM25xmY0q55pANxnHf92Mcp1ilTno6EhpWlr0hVo Zo3lykExCmutq/cS0D7o4KqTv8CS/A26tP4ZAYkF9Ya5ht7kHTrp091I/8T2BDJA cCLkY3Ox3nNI7W/ZH74mJtR916vzc2mezdHc1hWxyrH7uphCSXk88sRdBAiyYBHG aEjqHFfRSfImxeO9XkfpB2Nh5T2YZ9gSLlUxA18lAdWyKqjZrxwLj8l7EcHjzdfN +Fl9PZ01sVXhlQ==
X-ME-Sender: <xms:LUkAYraXHeVX5ES8mzn0v4VpABS_wDydY3MNHKhQc8m4u8Lp3bCrxw> <xme:LUkAYqY4pRvq9E_78LTX7lGCZcFOXSP2PP1a4qV18LWuIRbolTWnkr3IDJJUsitLj iKsSBJjUitk2w>
X-ME-Received: <xmr:LUkAYt-aplqTeI3XhCv1tyRyLwiojHwaLd1fpLEzhflHSu-ke6YBigO_lEhGj22z0nRaiZaSzjiUeUPQaOcM1k4f4lVP0d1HGbr7nu7XdhqnSlga7uwKIA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheefgdduiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeeftddvleeije evkeejhfeuudehveeihfejfedvgfduhfffhfduuddufeeggfetveenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvghtfihorh hkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:LUkAYhq3i7STn1HJLI9pgAJXhdJuUGDTcfLcLt2bUta8PhezdjG53A> <xmx:LUkAYmoWOvqhnDuklTak7qSyeADaPX4kIavzh_qCYVy9wdMCiWYebw> <xmx:LUkAYnRjfdEnuEEaJZ6mIVX0CaGdEUpKvJkDDwCHrUtYD7nIc8wH6Q> <xmx:LUkAYj0DqW3UuxG0a0hjKSHyV4qME6EKQY2Tw3nmkv8cWQ0Q5CPHNw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <behave@ietf.org>; Sun, 6 Feb 2022 17:18:21 -0500 (EST)
Message-ID: <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com>
Date: Sun, 06 Feb 2022 17:18:20 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de>
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/cqRRU5Z83oyERDYEhbYitEaUUjw>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Feb 2022 22:18:30 -0000
On 2/6/22 13:09, Klaus Frank wrote: > Hi, > > we had some issues with SPF and a mail server that was behind > NAT64+DNS64. I at first thought that it was just a misconfiguration. > But after the DNS64 server seamed to work as intended I went to the > implementation and the RFC. Thereby while reading RFC6147 I stumbled > across section 5.3.3 which says "All other RRs MUST be returned > unchanged." which is the cause of my issues. This section is basically > ignoring SPF records (RFC7208 section 5.6) and also preventing DNS64 > implementations from addressing this limitation. > > Would it be possible to create an extension to RFC6147 that mandates > SPF record rewrites as well? Otherwise Mail servers behind NAT64+DNS64 > in IPv6 only environments won't be able to work as expected. > > Like: > If the DNS64 server receives a SPF-record (within either the TXT-RR or > the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST rewrites > the ipv4 address according to the same rules as A-records are and > synthesizes a new SPF record within the response that contains > additional "ip6" entries. The original "ip4" should not be removed > from the response. PLEASE do not try to make DNS reflect any more NAT alterations to reality. That was ALWAYS a Bad Idea. If you're going to operate application servers behind any kind of NAT, what you need to do is arrange for those application servers to somehow get a view of the external/global addresses that they're communicating with, even if the source IP addresses that they see aren't the real ones. (If NATs had been done "right" there would be an API for this, supported by all NATs. But that ship sailed decades ago.) More generally, NAT is inherently unfixable, and trying to fix it can only result in infinitely growing complexity and brokenness. It's the usual problem with telling lies: every lie you tell needs N additional lies to cover up the earlier lies and so on recursively. (also, relying on SPF records is ill-advised, as they're too likely to be out-of-sync with reality even without NATs in the picture. ) Keith
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Marc Blanchet
- [BEHAVE] RFC6147 and RFC7208 interoperability iss… Klaus Frank
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… JORDI PALET MARTINEZ
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Hector Santos
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Mark Andrews
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Mark Andrews
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… mohamed.boucadair
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank