IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 13:31 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83AB63A0E86 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 05:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-egVtZ7uSgF for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 05:30:57 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8D8C3A0E82 for <behave@ietf.org>; Mon, 7 Feb 2022 05:30:56 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 2D4F4240104 for <behave@ietf.org>; Mon, 7 Feb 2022 14:30:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644240653; bh=EgJ0Vfjd4vmiVzCaRmAST4S77R0x6zl2Y4LzWaUtrMs=; h=Date:Subject:To:From:From; b=Gi/yxJMSWs9eo5U3sfMf1SYnEBsornmqgdTWwOqeAkkP88JF4gKuzLuC3Z4/60twJ z2fYKUW/ii4FPa7C+XmZtzeg3LkEfLfa3I853VrNUxKkHZSSJG713FX1VNdcIt8ROG 4DueSpNkGh494CZ7fgCeRlkKwR9JjB1OAAxaynZ/Bmr/kbdfmBBDatMjvUXR1vVJv9 7+R4YYK7lroZc7O2QRVCegHW+VRw2V+XmDFNCamKnUkLpHkeokMc5U9kmKNIkCes0d u1y43gxk4RcOQhn/88NpwcLHNRsfVYr5SxrxWI9YMuW73iTUs/G0gZjd0JtfxsGpok C62FizNNNFNgQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Jsn8V6jCJz6tpS for <behave@ietf.org>; Mon, 7 Feb 2022 14:30:50 +0100 (CET)
Message-ID: <72885e9c-2467-a079-9fab-267ca928caa7@posteo.de>
Date: Mon, 07 Feb 2022 13:30:50 +0000
MIME-Version: 1.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <dc15ccc0-3a67-563d-cf0f-08dcc7575fd2@it.uc3m.es>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <dc15ccc0-3a67-563d-cf0f-08dcc7575fd2@it.uc3m.es>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000109040003020207050100"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/fN9sPiyaTAWMHzwtLLgDSFqnYlA>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 13:31:02 -0000

I think an errata that either changes the "MUST not change" into a 
"SHOULD not change" is enough. As that would provide enough freedom to 
add a feature to update the SPF record without violating the RFC. And 
additionally add a note to that errata that explicitly lists SPF as one 
case where another record may need to be changed.

On 2022-02-07 07:41, marcelo bagnulo braun wrote:
> El 7/2/22 a las 1:38, Klaus Frank escribió:
>> Hi,
>>
>> I can understand you. I also don't like NAT. And I would also have 
>> favored different migration paths from IPv4 to IPv6. But NAT64+DNS64 
>> is the one we got. I'm sure there have been discussions earlier. I 
>> didn't want to resume or repeat those discussions. I'm certain there 
>> are valid reasons for why we have the current migration paths and 
>> that the pros and cons of different strategies have been covered 
>> adequately.
>>
>> Nonetheless DNS64 is incomplete without also addressing the SPF record.
>>
>
> I guess one operative question is whether this issue can be dealt with 
> an errata or should require an update in the spec.
>
> Regards, marcelo
>
>
>
>> On 2022-02-06 23:18, Keith Moore wrote:
>>> On 2/6/22 13:09, Klaus Frank wrote:
>>>
>>>> Hi,
>>>>
>>>> we had some issues with SPF and a mail server that was behind 
>>>> NAT64+DNS64. I at first thought that it was just a 
>>>> misconfiguration. But after the DNS64 server seamed to work as 
>>>> intended I went to the implementation and the RFC. Thereby while 
>>>> reading RFC6147 I stumbled across section 5.3.3 which says "All 
>>>> other RRs MUST be returned unchanged." which is the cause of my 
>>>> issues. This section is basically ignoring SPF records (RFC7208 
>>>> section 5.6) and also preventing DNS64 implementations from 
>>>> addressing this limitation.
>>>>
>>>> Would it be possible to create an extension to RFC6147 that 
>>>> mandates SPF record rewrites as well? Otherwise Mail servers behind 
>>>> NAT64+DNS64 in IPv6 only environments won't be able to work as 
>>>> expected.
>>>>
>>>> Like:
>>>> If the DNS64 server receives a SPF-record (within either the TXT-RR 
>>>> or the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST 
>>>> rewrites the ipv4 address according to the same rules as A-records 
>>>> are and synthesizes a new SPF record within the response that 
>>>> contains additional "ip6" entries. The original "ip4" should not be 
>>>> removed from the response.
>>>
>>> PLEASE do not try to make DNS reflect any more NAT alterations to 
>>> reality.  That was ALWAYS a Bad Idea.   If you're going to operate 
>>> application servers behind any kind of NAT, what you need to do is 
>>> arrange for those application servers to somehow get a view of the 
>>> external/global addresses that they're communicating with, even if 
>>> the source IP addresses that they see aren't the real ones.  (If 
>>> NATs had been done "right" there would be an API for this, supported 
>>> by all NATs.   But that ship sailed decades ago.)
>>>
>>> More generally, NAT is inherently unfixable, and trying to fix it 
>>> can only result in infinitely growing complexity and brokenness. 
>>> It's the usual problem with telling lies: every lie you tell needs N 
>>> additional lies to cover up the earlier lies and so on recursively.
>>>
>>> (also, relying on SPF records is ill-advised, as they're too likely 
>>> to be out-of-sync with reality even without NATs in the picture. )
>>>
>>> Keith
>>>
>>>
>>> _______________________________________________
>>> Behave mailing list
>>> Behave@ietf.org
>>> https://www.ietf.org/mailman/listinfo/behave
>>
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email