IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

william@leibzon.org Tue, 08 February 2022 00:36 UTC

Return-Path: <william@leibzon.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 046EF3A1013 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:36:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1C36bFxLSGt7 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:36:39 -0800 (PST)
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7329E3A100D for <spfbis@ietf.org>; Mon, 7 Feb 2022 16:36:39 -0800 (PST)
Received: from omf10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 46E1D2085E; Tue, 8 Feb 2022 00:36:38 +0000 (UTC)
Received: from [HIDDEN] (Authenticated sender: william@leibzon.org) by omf10.hostedemail.com (Postfix) with ESMTPA id E166B3E; Tue, 8 Feb 2022 00:36:31 +0000 (UTC)
MIME-Version: 1.0
Date: Mon, 07 Feb 2022 16:36:31 -0800
From: william@leibzon.org
To: Klaus Frank <klaus.frank@posteo.de>
Cc: spfbis@ietf.org
In-Reply-To: <3f9e531c-3b78-2c9d-3776-bf2ab297dead@posteo.de>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <DF73F58F-D33E-495A-B18C-58BC994ADE8B@viagenie.ca> <5b5f5a2a-8250-4ee5-3560-80e67b540204@posteo.de> <e061ff19f8bf10bef43399d82a29bee48fbcee5d.camel@16bits.net> <e0f53dcc-a909-9476-691b-84184ba8761c@posteo.de> <b7fe33e0f8982bb5f4560ed546ac35bdff25e03b.camel@16bits.net> <1fc6a0d819c1872624dcae1e15af0384@leibzon.org> <3f9e531c-3b78-2c9d-3776-bf2ab297dead@posteo.de>
Message-ID: <20716dc8319f4d931e2346a24ccb4440@leibzon.org>
X-Sender: william@leibzon.org
Content-Type: multipart/alternative; boundary="=_62e2e97d3957bf21771e039665d6c4a6"
X-Stat-Signature: 77hpfiukoerbdypxjazrtg7mpi49giic
X-Rspamd-Server: rspamout04
X-Rspamd-Queue-Id: E166B3E
X-Session-Marker: 77696C6C69616D406C6569627A6F6E2E6F7267
X-Session-ID: U2FsdGVkX1+gt4mB5hiDpuc1nnvY7Wp0BQXslGlX/Zo=
X-HE-Tag: 1644280591-438342
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/9T3BRY-555cujPvpCCqeW-1C1cE>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2022 00:36:44 -0000


On 2022-02-07 15:31, Klaus Frank wrote:

> On 2022-02-08 00:22, william@leibzon.org wrote:
> 
>> SPF macro tricks: 
>> https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/
>> I wonder how many people actually use SPF macros....
> We don't have to. This is all done by the SPF library and we just need 
> to care about the DNS requests it'll perform because of this. The new 
> dns queries are also SPF records. And also start with "v=spf1 ", so no 
> problems as long as we'd rewrite all ip4's within it and that's the 
> same as we'd already do anyway. Therefore no change to macros needed.

The macros don't need to be changed if the library knows real IPv4 
address. Otherwise there would be an issue with:

%{ir}.%{v}._spf.%{d2}
       3.2.0.192.in-addr._spf.example.com

which when an ip address of connecting server is IPv6 is translated as:

%{ir}.%{v}._spf.%{d2}
        
1.0.b.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6._spf.example.com

I wonder if there even are people doing ip6 exist macros... More likely 
people forgot about this if they are ip4, ip6 dual stack.

>> But yeah, trying to translate these is the kind of hell that should be 
>> reserved for full SPF library and not something DNS64 server should 
>> probably attempt. Looks like those who want SPF to work behind NAT64 
>> would have to use a library that can discovery what NAT64 prefix is 
>> and translate everything.
>> 
>> BTW, what's going on with exists and A vs AAAA? The SPF 7206 RFC says:
>> 
>> exists           = "exists"   ":" domain-spec
>> 
>> The <domain-spec> is expanded as perSection 7  
>> <https://datatracker.ietf.org/doc/html/rfc7208#section-7>.  The 
>> resulting domain
>> name is used for a DNS A RR lookup (even when the connection type is
>> IPv6).  If any A record is returned, this mechanism matches."
>> 
>> How is this meant to work for those in IPv6 only world? And what will 
>> happen when a SPF resolver behind DNS64 tries to resolve this? Is 
>> DNS64 just adding AAAA while preserving the A as well for an 
>> application that needs it?
> IPv4 records are preserved. But yea, it was already noted in the 
> discussion that that part is a minor problematic.
> 
> Here is a DNS64 resolver from cloudflare if you want to try it 
> yourself: 2606:4700:4700::64
> 
> On 2022-02-07 14:40, Ángel wrote:
> 
> On 2022-02-07 at 02:30 +0000, Klaus Frank wrote: Why? Such a query 
> would resolve in the mailserver would make the DNS
> lookup. The DNS64 server than would synthetically add an AAAA-RR to
> the response.
> The issue is not that the response contains an A record but that the
> queried domain embeds the remote IP.
> 
> The A result is usually a 127.0.0.x address, with some "magic" meaning
> (perhaps lost if translated into IPv6) but the main problem is querying
> the right label.
> 
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

_______________________________________________
spfbis mailing list
spfbis@ietf.org
https://www.ietf.org/mailman/listinfo/spfbis
_______________________________________________
spfbis mailing list
spfbis@ietf.org
https://www.ietf.org/mailman/listinfo/spfbis

v2.23.0 | Report a Bug | By Email