Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 13:31 UTC
Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83AB63A0E86 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 05:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-egVtZ7uSgF for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 05:30:57 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8D8C3A0E82 for <behave@ietf.org>; Mon, 7 Feb 2022 05:30:56 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 2D4F4240104 for <behave@ietf.org>; Mon, 7 Feb 2022 14:30:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644240653; bh=EgJ0Vfjd4vmiVzCaRmAST4S77R0x6zl2Y4LzWaUtrMs=; h=Date:Subject:To:From:From; b=Gi/yxJMSWs9eo5U3sfMf1SYnEBsornmqgdTWwOqeAkkP88JF4gKuzLuC3Z4/60twJ z2fYKUW/ii4FPa7C+XmZtzeg3LkEfLfa3I853VrNUxKkHZSSJG713FX1VNdcIt8ROG 4DueSpNkGh494CZ7fgCeRlkKwR9JjB1OAAxaynZ/Bmr/kbdfmBBDatMjvUXR1vVJv9 7+R4YYK7lroZc7O2QRVCegHW+VRw2V+XmDFNCamKnUkLpHkeokMc5U9kmKNIkCes0d u1y43gxk4RcOQhn/88NpwcLHNRsfVYr5SxrxWI9YMuW73iTUs/G0gZjd0JtfxsGpok C62FizNNNFNgQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Jsn8V6jCJz6tpS for <behave@ietf.org>; Mon, 7 Feb 2022 14:30:50 +0100 (CET)
Message-ID: <72885e9c-2467-a079-9fab-267ca928caa7@posteo.de>
Date: Mon, 07 Feb 2022 13:30:50 +0000
MIME-Version: 1.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <dc15ccc0-3a67-563d-cf0f-08dcc7575fd2@it.uc3m.es>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <dc15ccc0-3a67-563d-cf0f-08dcc7575fd2@it.uc3m.es>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000109040003020207050100"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/fN9sPiyaTAWMHzwtLLgDSFqnYlA>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 13:31:02 -0000
I think an errata that either changes the "MUST not change" into a "SHOULD not change" is enough. As that would provide enough freedom to add a feature to update the SPF record without violating the RFC. And additionally add a note to that errata that explicitly lists SPF as one case where another record may need to be changed. On 2022-02-07 07:41, marcelo bagnulo braun wrote: > El 7/2/22 a las 1:38, Klaus Frank escribió: >> Hi, >> >> I can understand you. I also don't like NAT. And I would also have >> favored different migration paths from IPv4 to IPv6. But NAT64+DNS64 >> is the one we got. I'm sure there have been discussions earlier. I >> didn't want to resume or repeat those discussions. I'm certain there >> are valid reasons for why we have the current migration paths and >> that the pros and cons of different strategies have been covered >> adequately. >> >> Nonetheless DNS64 is incomplete without also addressing the SPF record. >> > > I guess one operative question is whether this issue can be dealt with > an errata or should require an update in the spec. > > Regards, marcelo > > > >> On 2022-02-06 23:18, Keith Moore wrote: >>> On 2/6/22 13:09, Klaus Frank wrote: >>> >>>> Hi, >>>> >>>> we had some issues with SPF and a mail server that was behind >>>> NAT64+DNS64. I at first thought that it was just a >>>> misconfiguration. But after the DNS64 server seamed to work as >>>> intended I went to the implementation and the RFC. Thereby while >>>> reading RFC6147 I stumbled across section 5.3.3 which says "All >>>> other RRs MUST be returned unchanged." which is the cause of my >>>> issues. This section is basically ignoring SPF records (RFC7208 >>>> section 5.6) and also preventing DNS64 implementations from >>>> addressing this limitation. >>>> >>>> Would it be possible to create an extension to RFC6147 that >>>> mandates SPF record rewrites as well? Otherwise Mail servers behind >>>> NAT64+DNS64 in IPv6 only environments won't be able to work as >>>> expected. >>>> >>>> Like: >>>> If the DNS64 server receives a SPF-record (within either the TXT-RR >>>> or the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST >>>> rewrites the ipv4 address according to the same rules as A-records >>>> are and synthesizes a new SPF record within the response that >>>> contains additional "ip6" entries. The original "ip4" should not be >>>> removed from the response. >>> >>> PLEASE do not try to make DNS reflect any more NAT alterations to >>> reality. That was ALWAYS a Bad Idea. If you're going to operate >>> application servers behind any kind of NAT, what you need to do is >>> arrange for those application servers to somehow get a view of the >>> external/global addresses that they're communicating with, even if >>> the source IP addresses that they see aren't the real ones. (If >>> NATs had been done "right" there would be an API for this, supported >>> by all NATs. But that ship sailed decades ago.) >>> >>> More generally, NAT is inherently unfixable, and trying to fix it >>> can only result in infinitely growing complexity and brokenness. >>> It's the usual problem with telling lies: every lie you tell needs N >>> additional lies to cover up the earlier lies and so on recursively. >>> >>> (also, relying on SPF records is ill-advised, as they're too likely >>> to be out-of-sync with reality even without NATs in the picture. ) >>> >>> Keith >>> >>> >>> _______________________________________________ >>> Behave mailing list >>> Behave@ietf.org >>> https://www.ietf.org/mailman/listinfo/behave >> >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave > > > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Marc Blanchet
- [BEHAVE] RFC6147 and RFC7208 interoperability iss… Klaus Frank
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… JORDI PALET MARTINEZ
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Hector Santos
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Mark Andrews
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Mark Andrews
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… mohamed.boucadair
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank