Re: [spfbis] RFC6147 and RFC7208 interoperability issues
Scott Kitterman <spf2@kitterman.com> Mon, 07 February 2022 23:35 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6663A1010 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:35:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=OSHQXBOj; dkim=pass (2048-bit key) header.d=kitterman.com header.b=Rnwyrcle
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fb3QBGvXk3a4 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:35:54 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70FE73A100E for <spfbis@ietf.org>; Mon, 7 Feb 2022 15:35:54 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 9B5C3F802ED for <spfbis@ietf.org>; Mon, 7 Feb 2022 18:35:47 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1644276947; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=4/Dwl/ytxawZH47YS5qwfNSUy/7ZigWqx4LWTnJ3Vwk=; b=OSHQXBOj0i9Rb5BhKpeKaW4cWX9HcR0/F3Glhchx4dkFGPSPEgUNfx7IF3H6DHPUYIzut rvALbAqVO7BdnU8CA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1644276947; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=4/Dwl/ytxawZH47YS5qwfNSUy/7ZigWqx4LWTnJ3Vwk=; b=RnwyrclerC94VjRAc05wbashKRYwD8tIqO0GkMZDcybT/tNXvkJU+97kl5tumMOhMXtYl 4CE/0pOhH58BY9qEpEEtvPphH4NLBEV3pTa0HylFMgO8P+5CMvhw5UQDJTJprDH4pTPYSqZ BSxI1kPBHCSQlSq5rpXwYdjXqtxHHvIaCHY8P3bylHIpNnV2ds5vLFc4LxfTxr70NPlJrIz d1fgf8FQYtB9lkAK3+eOi65x9jQ7wpBt/YjGCax0xlRIi2DWCFpGBVgYc/sWePT/TM2R2Ra te7y+HHJGTYqgq3Dm/xMTYzzINNjTQqt20Xpzil2HTMh+r89XUonRg4a5Fkw==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 6A1A9F802DE for <spfbis@ietf.org>; Mon, 7 Feb 2022 18:35:47 -0500 (EST)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Mon, 07 Feb 2022 18:35:47 -0500
Message-ID: <10214311.ZiOWkujHqK@localhost>
In-Reply-To: <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <b7fe33e0f8982bb5f4560ed546ac35bdff25e03b.camel@16bits.net> <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/IDlDViLDOl1-VoktnsPo2TUOlJg>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:36:00 -0000
As far as I can tell, not very many people use them, but there were enough that the SPFbis working group concluded they were in use and could not be removed. I'm working from several year old memories, but my recollection is that since the DNS server receiving the query has controls how to respond, it can respond just fine to an A query, even if via IPv6. This should work until IPv4 is dead enough that people start ripping the ability to query for A records out of DNS servers (or the heat death of the universe, whichever comes first). Scott K On Monday, February 7, 2022 6:22:13 PM EST william@leibzon.org wrote: > SPF macro tricks: > https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-chal > lenges-of-spf/ I wonder how many people actually use SPF macros.... > > But yeah, trying to translate these is the kind of hell that should be > reserved for full SPF library and not something DNS64 server should > probably attempt. Looks like those who want SPF to work behind NAT64 > would have to use a library that can discovery what NAT64 prefix is and > translate everything. > > BTW, what's going on with exists and A vs AAAA? The SPF 7208 RFC says: > > exists = "exists" ":" domain-spec > > The <domain-spec> is expanded as per Section 7 [1]. The resulting > domain > name is used for a DNS A RR lookup (even when the connection type is > IPv6). If any A record is returned, this mechanism matches." > > How is this meant to work for those in IPv6 only world? And what will > happen when a SPF resolver behind DNS64 tries to resolve this? Is DNS64 > just adding AAAA while preserving the A as well for an application that > needs it? > > On 2022-02-07 14:40, Ángel wrote: > > On 2022-02-07 at 02:30 +0000, Klaus Frank wrote: > >> Why? Such a query would resolve in the mailserver would make the DNS > >> lookup. The DNS64 server than would synthetically add an AAAA-RR to > >> the response. > > > > The issue is not that the response contains an A record but that the > > queried domain embeds the remote IP. > > > > The A result is usually a 127.0.0.x address, with some "magic" meaning > > (perhaps lost if translated into IPv6) but the main problem is querying > > the right label. > > > > _______________________________________________ > > spfbis mailing list > > spfbis@ietf.org > > https://www.ietf.org/mailman/listinfo/spfbis > > Links: > ------ > [1] https://datatracker.ietf.org/doc/html/rfc7208#section-7
- [spfbis] RFC6147 and RFC7208 interoperability iss… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Marc Blanchet
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Ángel
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Stuart D Gathman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Ángel
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Alessandro Vesely
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Hector Santos
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews