IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Sun, 06 February 2022 23:35 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F263A0FBE for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 15:35:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YikueNMD1tHY for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 15:34:58 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 022173A0FBB for <spfbis@ietf.org>; Sun, 6 Feb 2022 15:34:57 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id E62C7240105 for <spfbis@ietf.org>; Mon, 7 Feb 2022 00:34:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644190492; bh=wfy0hmdh2dPHjCmWlg+BEMTe7p+3fU+p1JMt6kPYr84=; h=Date:Subject:To:From:From; b=RmQreKRXLw3UNG6bycKtoy6ccTAK5GJokPgG+XMBWCjw+O8Bms+jLJCL88GAwzWDG d2szDRn0b7zse/CZZ9V5kigd1bC3HnCna3a9AxdC96N2R/KqMjuOWt6WLNMkS4RAUB 1xr229hRJEqgwdHSYacGhpmt+k6t7nEy3cKDs59MyjVsqLmaNuOy6dD9wnQ8ZwTpij Fp41kPZ8IOCtuBlLqTvlslsvjl+vCEH3PJVHNrFe7bsJYvnk04dsV3tCtd5l8Ufq5E ElTueGvPPA1ztMcyJBzLM9llQ202Qyb9COM5T4NzjIJJ48Oj6350ljrCJVscORfMpO QwlUraeTULHDw==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsQbv66ZVz6tnm for <spfbis@ietf.org>; Mon, 7 Feb 2022 00:34:51 +0100 (CET)
Message-ID: <9843fdc5-4443-e327-751b-330453ad7bf2@posteo.de>
Date: Sun, 06 Feb 2022 23:34:49 +0000
MIME-Version: 1.0
Content-Language: en-US
To: spfbis@ietf.org
References: <20220206221619.53E4836687AF@ary.qy>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <20220206221619.53E4836687AF@ary.qy>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080500090904070005030002"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/3fGXXBW9FdeU9f_8kz-fdCoto-o>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Feb 2022 23:35:05 -0000

Either way one of both RFCs needs an addendum to address this.

I personally think that because the SPF record is part of DNS it should 
be updated by DNS64 as well. But if RFC7208 gets an addendum that 
mandates the SPF library to consider the NAT64 (RFC7050 and RFC8880) 
prefix when doing validation would also work for me.

On 2022-02-06 23:16, John Levine wrote:
> It appears that Scott Kitterman  <spf2@kitterman.com> said:
>> It looks like situations like this one were contemplated by the RFC 6147
>> authors:
>>
>>> 6.  Deployment Notes
>>>
>>>     While DNS64 is intended to be part of a strategy for aiding IPv6
>>>     deployment in an internetworking environment with some IPv4-only and
>>>     IPv6-only networks, it is important to realize that it is
>>>     incompatible with some things that may be deployed in an IPv4-only or
>>>     dual-stack context.
>> On the SPF side of the discussion, I think it would, at least in theory, be
>> feasible to interpret an ip4: mechanism as <prefix> + <address> if the
>> connection is IPv6, but I don't see how a receiving SPF processor could know
>> what the prefix is.  As I read RFC 6147 Section 5.2, it could be anything.
> See RFCs 7050 and 8880 for how you find the prefix(es).
>
> That seems like a more reasonable way to go, patch the SPF library so it
> can use the NAT's Pref64 to fudge the interpretation of ip4 and ptr.
>
> It looks like you could automate the entire thing -- when the library starts
> up, do an AAAA query on ipv4only.arpa, and if you get plausible answers,
> you know you're behind NAT64 and reinterpret ip4 and ptr terms appropriately.
>
> R's,
> John
>
>
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

v2.23.0 | Report a Bug | By Email