IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 20:00 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413B73A08D6 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 12:00:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mr-rLvpIz3vO for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 12:00:48 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35F743A0A26 for <behave@ietf.org>; Mon, 7 Feb 2022 12:00:46 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 9DC13240106 for <behave@ietf.org>; Mon, 7 Feb 2022 21:00:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644264043; bh=SjI29Z96bj99GsArMw9GEEEQIZPtZgtCr1T/k9TAoDo=; h=Date:Subject:To:From:From; b=jndoWPgnlyp+lem4ArZlPJqlN6Tq/El6bJlTwIaLFVEmuRlqSguW5f0ReTOR6lo9G 7aGct934lJ0GE5ltEbgm1XiNWc20TrGw1mtzBx+VOtpywKwyFSeIcfGbxauz4h1n1p 52VR7pv5PQOWXgwE2mU/c9SY4OTPQs3uW5jnBgdm4ZarWFQO6FiTaWyVaeOH22/ZDG Pt/8OqcaQ8aVqbNTx1eRrD9ZADLcQUVpyp5GP9EqQRdlQhfG8xMPsVfdirQFB3X9L/ iEw3KLoP1AfyJ3+BKPLFDRUBPZr2tokFY6xyISYdvx3/1aLavwTPs1q5F4xiQ7SkIu cLktecd1Ek4tw==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsxpL2jyhz9rxK for <behave@ietf.org>; Mon, 7 Feb 2022 21:00:41 +0100 (CET)
Message-ID: <f4967d34-f7ba-4024-b4ac-9e6dfce427fa@posteo.de>
Date: Mon, 07 Feb 2022 20:00:39 +0000
MIME-Version: 1.0
Content-Language: en-US
To: behave@ietf.org
References: <077D662F-5E6D-44F5-8DD3-B58D8B535C5D@network-heretics.com> <B6D6B4CC-AC1F-459C-952A-E9493E00FDB3@huitema.net> <7e53925e-46b0-29e4-6deb-47bcf389ff97@posteo.de> <DC6F8DB5-4D01-466F-A042-1769E5FBB677@gmail.com> <ed382d77-483c-5a07-3498-eac0cd38abbd@network-heretics.com>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <ed382d77-483c-5a07-3498-eac0cd38abbd@network-heretics.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010609020407050703090100"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/yyiHEEJcxRYyH58LHZZAbcvmk68>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 20:01:01 -0000

On 2022-02-07 20:51, Keith Moore wrote:
> On 2/7/22 14:37, Dan Wing wrote:
>
>> Could the SPF problem dissipate if SPF records only contained DNS 
>> names and deprecate IP addresses?
>
> I suspect this just would just make SPF records even less reliable 
> than they already are, because the DNS name adds an extra layer of 
> indirection that also has a high probability of being wrong.

Not really. Using DNS is already part of the SPF standard (section 5.7) 
via "v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all":

    The <target-name> might expand to
    "1.2.0.192.someuser._spf.example.com".  This makes fine-grained
    decisions possible at the level of the user and client IP address.

> Also, it doesn't rid the burden of applications operating behind the 
> NAT to be aware of the NAT.   For better or worse, applications have a 
> lot of incentive to use DoH or DoT because local resolvers are 
> sometimes under-provisioned or unreliable, network providers sometimes 
> spy on DNS traffic, etc.  Using DoH or DoT can result in more 
> reliable, consistent operation with less delay due to DNS lookup 
> time.   So if the application is going to benefit from SPF records 
> having DNS names in them, it has to know to use the DNS64 server to 
> lookup those DNS names and get the (possibly fake) IPv6 source 
> addresses back.
>
> The general problem that DNS is often out of sync with reality (at 
> least in part because DNS isn't federated in the same way that reality 
> is) is hard to fix.
What exactly do you mean Split-DNS? Which is another pitfall why using 
DoH and DoT is problematic and (from admin perspective) not desirable. 
And when they're used to use the same DNS infrastructure you consider 
"out of sync" via a DoH or DoT resolver...
>
> Keith
>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email