IETF Logo Mail Archive

Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interoperability issues

Hector Santos <hsantos@isdg.net> Wed, 09 February 2022 17:36 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C2263A0A71 for <behave@ietfa.amsl.com>; Wed, 9 Feb 2022 09:36:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.306
X-Spam-Level:
X-Spam-Status: No, score=-6.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RDNS_NONE=0.793, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=Gf9obLj8; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=bj6aM48q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a9oTO5J0xnMT for <behave@ietfa.amsl.com>; Wed, 9 Feb 2022 09:36:49 -0800 (PST)
Received: from mail.winserver.com (unknown [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A66C3A0A83 for <behave@ietf.org>; Wed, 9 Feb 2022 09:36:48 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6462; t=1644428202; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=4Id5QVsQPa1xR8yD8Z7cdtHYh6hycXW +dQMbrK5oa0I=; b=Gf9obLj83uqmaHeVmuJ9wHAJSPn5t/1YA7NzO4y00sHefNl uljRdwnBY8WQgM2iM45F9s9dF2n/rctGmRj4mdfr4dbHu0c+9kaLczLjz1+CEcub /MaYVQ0pxEHC7s1bwSybgiyIuW3EdnXfydcWY8wpzcTWNV2AprceVTqC6lUo=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.12) for behave@ietf.org; Wed, 09 Feb 2022 12:36:42 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 2057876565.1.2696; Wed, 09 Feb 2022 12:36:40 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6462; t=1644427964; h=Received:Received:From: Message-Id:Subject:Date:To:Organization:List-ID; bh=4Id5QVsQPa1x R8yD8Z7cdtHYh6hycXW+dQMbrK5oa0I=; b=bj6aM48qMSgU8FUjCGuYqRPEEd1A wCoKWQ6wNNR9rXPBtDOKN/obuiOGQZAmR41vGfsCgxLgCG03sCm4iYWH/lfiIAXu 872nnypo8s3ietst2Xq9wUydc1Df5FlpqckD4PvhV3Q8UyV6dWjJzGQKS2IlNooj dpi5bPZoeUwYpXQ=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for behave@ietf.org; Wed, 09 Feb 2022 12:32:44 -0500
Received: from smtpclient.apple ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 1181413595.1.49096; Wed, 09 Feb 2022 12:32:43 -0500
From: Hector Santos <hsantos@isdg.net>
Message-Id: <96278466-0EFF-4931-8AA3-9B49FFAF77B3@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_88357179-F5AF-44ED-852B-6FCD436B5E49"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
Date: Wed, 09 Feb 2022 12:36:38 -0500
In-Reply-To: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de>
Cc: behave@ietf.org, spfbis@ietf.org
To: Klaus Frank <klaus.frank@posteo.de>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de>
X-Mailer: Apple Mail (2.3693.40.0.1.81)
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/rXSD53FmpRI58D4JD7bwzkQPaAE>
Subject: Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 17:36:54 -0000

You could do a independent draft tech note to show technical details, perhaps implementation details for SPF/DNS resolvers learning about IP6 related issues and coding requirements.  

In general, when dealing with unknown Resource Records (RR), the DNS server and client SHOULD be supporting RFC 3597:

https://datatracker.ietf.org/doc/html/rfc3597 <https://datatracker.ietf.org/doc/html/rfc3597>

A small dig into RFC6147, I don’t see a reference to RFC3597.  Maybe RFC6147 should be updated as well?

See this 2012 thread I had with Microsoft when I was updating our Wildcat! SAP package  for SPF RR support in its Wildcat! DNS client and local cache resolving API logic. We are not at IP6 but it sounds DNS64/NAT64 should review its level of support for RFC3597.

https://social.technet.microsoft.com/Forums/Lync/en-US/5841e884-db22-42a1-8530-615a375662cc/dns-server-support-for-new-or-unamed-rr-type-records <https://social.technet.microsoft.com/Forums/Lync/en-US/5841e884-db22-42a1-8530-615a375662cc/dns-server-support-for-new-or-unamed-rr-type-records>


Hope any of this helps

—
HLS



> On Feb 6, 2022, at 1:09 PM, Klaus Frank <klaus.frank@posteo.de> wrote:
> 
> Hi,
> 
> we had some issues with SPF and a mail server that was behind NAT64+DNS64. I at first thought that it was just a misconfiguration. But after the DNS64 server seamed to work as intended I went to the implementation and the RFC. Thereby while reading RFC6147 I stumbled across section 5.3.3 which says "All other RRs MUST be returned unchanged." which is the cause of my issues. This section is basically ignoring SPF records (RFC7208 section 5.6) and also preventing DNS64 implementations from addressing this limitation.
> 
> Would it be possible to create an extension to RFC6147 that mandates SPF record rewrites as well? Otherwise Mail servers behind NAT64+DNS64 in IPv6 only environments won't be able to work as expected.
> 
> Like:
> If the DNS64 server receives a SPF-record (within either the TXT-RR or the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST rewrites the ipv4 address according to the same rules as A-records are and synthesizes a new SPF record within the response that contains additional "ip6" entries. The original "ip4" should not be removed from the response.
> 
> Sincerely,
> Klaus Frank

v2.23.0 | Report a Bug | By Email