IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Keith Moore <moore@network-heretics.com> Mon, 07 February 2022 19:51 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A29E3A07B2 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 11:51:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.61
X-Spam-Level:
X-Spam-Status: No, score=-7.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ve7BCwyLKrjb for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 11:51:14 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 884FA3A087E for <behave@ietf.org>; Mon, 7 Feb 2022 11:51:14 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B6EC95C0138 for <behave@ietf.org>; Mon, 7 Feb 2022 14:51:13 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 07 Feb 2022 14:51:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=H++oBpSDkZ3WOwvpyWQfjeUeGFR1Oln/yDOv1SboFjM=; b=ZYbVukWx aQZ56iojg4+UI7sXdWg/i29c7q6OGZR2j9x2w+xv+uReeTybSFcM4W6xxzuf2n2I Ioy5HJX9EuhI4s/kFaNH0QHa6x1QOnSMoh4IMG+bDOBLMugwQ7FbroLmWJhsadtN dI9h//H3x0LsRQOEYb4T1wFwPvrWKqLpHRYJ2Ce2TN5T77aihA6dpPqPV0UfWgSI 0bEDjWpvp2CzrI/QcO61iSLTCTjwcOll2Z2BMhcRUw+0l++3fieYwSkIWZkhuvEw eKm7y/57m2TEt6mJCZURNc99DTLjt/EaIQYuFMGqQixVfKY1dhyi4fLpeChYAW0B Oi0CtJVDkNzgGA==
X-ME-Sender: <xms:MXgBYrPGr7ZF_KPB1xlro_NxG-QhNDOo2aQLSCv8jH-GqVnUe8CXtQ> <xme:MXgBYl-IVmRlpyNvR3D-ZvH5WFrWSeALpBV6Q7QykawqSOdHwYGmbQbNUb-Whgrfh 2q2hP5cHF6ggw>
X-ME-Received: <xmr:MXgBYqTCUYiNC1u87H21JZ85UQQCjCuD2wEmh547_EjvDZ9hOjZ6VB3ptgj0HYDH878qHg9ogJk4gJqgLzjnWPHkoUR45AUjPY1->
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheehgdduvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeeftddvleeije evkeejhfeuudehveeihfejfedvgfduhfffhfduuddufeeggfetveenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvghtfihorh hkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:MXgBYvujwmsR4UdsdQte4X6zdjebRwh57jZxsBHQPd4I9OMDUKw_PA> <xmx:MXgBYjcY29JXabu1YX32L-EWrHh7aGR-K9LU9gKR9JBWa_h_9vTdcQ> <xmx:MXgBYr1VpSTdl8X8QElX3YgLkmjhIchFUklWwbBaka9-xmTGnJCwFQ> <xmx:MXgBYto0QSq7ttYUMFtMQnLOpCp6oA3vM8raPNa5mIwxTE0V0dYMyw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <behave@ietf.org>; Mon, 7 Feb 2022 14:51:13 -0500 (EST)
Message-ID: <ed382d77-483c-5a07-3498-eac0cd38abbd@network-heretics.com>
Date: Mon, 07 Feb 2022 14:51:12 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: behave@ietf.org
References: <077D662F-5E6D-44F5-8DD3-B58D8B535C5D@network-heretics.com> <B6D6B4CC-AC1F-459C-952A-E9493E00FDB3@huitema.net> <7e53925e-46b0-29e4-6deb-47bcf389ff97@posteo.de> <DC6F8DB5-4D01-466F-A042-1769E5FBB677@gmail.com>
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <DC6F8DB5-4D01-466F-A042-1769E5FBB677@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/mJd7Wrz5gC_DlGd6ZEW8nSyVp48>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 19:51:21 -0000

On 2/7/22 14:37, Dan Wing wrote:

> Could the SPF problem dissipate if SPF records only contained DNS names and deprecate IP addresses?

I suspect this just would just make SPF records even less reliable than 
they already are, because the DNS name adds an extra layer of 
indirection that also has a high probability of being wrong.

Also, it doesn't rid the burden of applications operating behind the NAT 
to be aware of the NAT.   For better or worse, applications have a lot 
of incentive to use DoH or DoT because local resolvers are sometimes 
under-provisioned or unreliable, network providers sometimes spy on DNS 
traffic, etc.  Using DoH or DoT can result in more reliable, consistent 
operation with less delay due to DNS lookup time.   So if the 
application is going to benefit from SPF records having DNS names in 
them, it has to know to use the DNS64 server to lookup those DNS names 
and get the (possibly fake) IPv6 source addresses back.

The general problem that DNS is often out of sync with reality (at least 
in part because DNS isn't federated in the same way that reality is) is 
hard to fix.

Keith

v2.23.0 | Report a Bug | By Email