IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Scott Kitterman <spf2@kitterman.com> Mon, 07 February 2022 23:35 UTC

Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6663A1010 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:35:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=OSHQXBOj; dkim=pass (2048-bit key) header.d=kitterman.com header.b=Rnwyrcle
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fb3QBGvXk3a4 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:35:54 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70FE73A100E for <spfbis@ietf.org>; Mon, 7 Feb 2022 15:35:54 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 9B5C3F802ED for <spfbis@ietf.org>; Mon, 7 Feb 2022 18:35:47 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1644276947; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=4/Dwl/ytxawZH47YS5qwfNSUy/7ZigWqx4LWTnJ3Vwk=; b=OSHQXBOj0i9Rb5BhKpeKaW4cWX9HcR0/F3Glhchx4dkFGPSPEgUNfx7IF3H6DHPUYIzut rvALbAqVO7BdnU8CA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1644276947; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=4/Dwl/ytxawZH47YS5qwfNSUy/7ZigWqx4LWTnJ3Vwk=; b=RnwyrclerC94VjRAc05wbashKRYwD8tIqO0GkMZDcybT/tNXvkJU+97kl5tumMOhMXtYl 4CE/0pOhH58BY9qEpEEtvPphH4NLBEV3pTa0HylFMgO8P+5CMvhw5UQDJTJprDH4pTPYSqZ BSxI1kPBHCSQlSq5rpXwYdjXqtxHHvIaCHY8P3bylHIpNnV2ds5vLFc4LxfTxr70NPlJrIz d1fgf8FQYtB9lkAK3+eOi65x9jQ7wpBt/YjGCax0xlRIi2DWCFpGBVgYc/sWePT/TM2R2Ra te7y+HHJGTYqgq3Dm/xMTYzzINNjTQqt20Xpzil2HTMh+r89XUonRg4a5Fkw==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 6A1A9F802DE for <spfbis@ietf.org>; Mon, 7 Feb 2022 18:35:47 -0500 (EST)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Mon, 07 Feb 2022 18:35:47 -0500
Message-ID: <10214311.ZiOWkujHqK@localhost>
In-Reply-To: <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <b7fe33e0f8982bb5f4560ed546ac35bdff25e03b.camel@16bits.net> <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/IDlDViLDOl1-VoktnsPo2TUOlJg>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:36:00 -0000

As far as I can tell, not very many people use them, but there were enough 
that the SPFbis working group concluded they were in use and could not be 
removed.

I'm working from several year old memories, but my recollection is that since 
the DNS server receiving the query has controls how to respond, it can respond 
just fine to an A query, even if via IPv6.  This should work until IPv4 is dead 
enough that people start ripping the ability to query for A records out of DNS 
servers (or the heat death of the universe, whichever comes first).

Scott K

On Monday, February 7, 2022 6:22:13 PM EST william@leibzon.org wrote:
> SPF macro tricks:
> https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-chal
> lenges-of-spf/ I wonder how many people actually use SPF macros....
> 
> But yeah, trying to translate these is the kind of hell that should be
> reserved for full SPF library and not something DNS64 server should
> probably attempt. Looks like those who want SPF to work behind NAT64
> would have to use a library that can discovery what NAT64 prefix is and
> translate everything.
> 
> BTW, what's going on with exists and A vs AAAA? The SPF 7208 RFC says:
> 
> exists           = "exists"   ":" domain-spec
> 
>     The <domain-spec> is expanded as per Section 7 [1].  The resulting
> domain
>     name is used for a DNS A RR lookup (even when the connection type is
>     IPv6).  If any A record is returned, this mechanism matches."
> 
> How is this meant to work for those in IPv6 only world? And what will
> happen when a SPF resolver behind DNS64 tries to resolve this? Is DNS64
> just adding AAAA while preserving the A as well for an application that
> needs it?
> 
>   On 2022-02-07 14:40, Ángel wrote:
> > On 2022-02-07 at 02:30 +0000, Klaus Frank wrote:
> >> Why? Such a query would resolve in the mailserver would make the DNS
> >> lookup. The DNS64 server than would synthetically add an AAAA-RR to
> >> the response.
> > 
> > The issue is not that the response contains an A record but that the
> > queried domain embeds the remote IP.
> > 
> > The A result is usually a 127.0.0.x address, with some "magic" meaning
> > (perhaps lost if translated into IPv6) but the main problem is querying
> > the right label.
> > 
> > _______________________________________________
> > spfbis mailing list
> > spfbis@ietf.org
> > https://www.ietf.org/mailman/listinfo/spfbis
> 
> Links:
> ------
> [1] https://datatracker.ietf.org/doc/html/rfc7208#section-7

v2.23.0 | Report a Bug | By Email