IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Christian Huitema <huitema@huitema.net> Mon, 07 February 2022 02:30 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BE723A11CC for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:30:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.603
X-Spam-Level:
X-Spam-Status: No, score=-2.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWuqmXaeuPOR for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:30:39 -0800 (PST)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D63B3A11C2 for <behave@ietf.org>; Sun, 6 Feb 2022 18:30:39 -0800 (PST)
Received: from xse25.mail2web.com ([66.113.196.25] helo=xse.mail2web.com) by mx257.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nGtnX-000MFQ-8p for behave@ietf.org; Mon, 07 Feb 2022 03:30:38 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4JsVVd0jyVz7TM for <behave@ietf.org>; Sun, 6 Feb 2022 18:30:33 -0800 (PST)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nGtnU-00072x-VP for behave@ietf.org; Sun, 06 Feb 2022 18:30:32 -0800
Received: (qmail 5895 invoked from network); 7 Feb 2022 02:30:32 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.46.218]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <klaus.frank@posteo.de>; 7 Feb 2022 02:30:31 -0000
Message-ID: <0d18c171-f713-4590-d9a6-3c5729a3384c@huitema.net>
Date: Sun, 06 Feb 2022 18:30:32 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Klaus Frank <klaus.frank@posteo.de>, Keith Moore <moore@network-heretics.com>, behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com> <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net> <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.196.25
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zVVrN4oC+7+v6H1pDHwMpu42UuDhyzVYcwl2RB+0AaeicU 4qhODrlqMTrUcfwIJTUh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699iwgQ+2yl7BoDncKB+ziACIPAgTtUp75uqlx0KezvZHWM525h obRX+ccJ5ZEXtMPGWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0jMujG3f5uEi//7HghzjC/t6TeVLW3pB0Q/PTyowo5Afvd MI55vMsIt7tpjfxhwGdiCFXoGKtafvOtcW/mP16bynTCOInfd76oq4RH5afpA3RRyBl07OVp2D/S 9ogT8aIXDk0/kYZFsrGHbQeDkWMuklR/Vq4Nl7KzVICVCA0C5p9UoFIvD3sIcP1fhJPM6B/8tETO vQ5YjQRl5uqaMHaWGrgLUbWzzoy9zZnLbhRCIxM37Fo9Xqg2bQC831cpDah1qpGltVVtdJFVwmuo nkV+kW0AuXq0T17woJo3avKeADIsy647Mn0zwmGzAi3Zn+YdthRNgs7Ig4l/XErpYn3glZTKFuaT l19W3ISq9+1KiLsESGU+y+fjdgjudZxiTPi+MG1QP35nsYfP84c+RFK3KiZuZ5OAUoGBziSYFLZu u6zX3xxsmqT8l9ARlsTalAaf
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/t2XyAy933EwCDE1ttHLAvxt9Al8>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:30:43 -0000

On 2/6/2022 6:20 PM, Klaus Frank wrote:

> You left out the other half of Section 6.2 where it says:
>
>    Alternatively,
>    the validating host may establish a trusted connection with a DNS64,
>    and allow the DNS64 recursive resolver to do all validation on its
>    behalf.
>
> Which is allowing the DNS64 server to rewrite the SPF record... 

Yes, but doing that requires updating the code on the DNS64 server, 
which may or may not be under the same management as the SMTP server. 
The DNS64 update would  also will still break if the SMTP server is 
configured to access a secure DNS server using encrypted DNS -- DoH, DoT 
or DoQ. Turns out that "use encrypted DNS" is one of the recommendations 
pushed for network security, because it prevents DNS spoofing and DNS 
monitoring attacks. Overall, it is probably easier and more robust to 
deploy a change in the SMTP servers.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email