IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Ángel <angel@16bits.net> Mon, 07 February 2022 02:21 UTC

Return-Path: <angel@16bits.net>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096AF3A11AE for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 18:21:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqTmnCkZklPp for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 18:21:46 -0800 (PST)
Received: from mail.direccionemail.com (mail.direccionemail.com [199.195.249.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC053A11A9 for <spfbis@ietf.org>; Sun, 6 Feb 2022 18:21:45 -0800 (PST)
Message-ID: <e061ff19f8bf10bef43399d82a29bee48fbcee5d.camel@16bits.net>
From: Ángel <angel@16bits.net>
To: spfbis@ietf.org
Date: Mon, 07 Feb 2022 03:21:40 +0100
In-Reply-To: <5b5f5a2a-8250-4ee5-3560-80e67b540204@posteo.de>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <DF73F58F-D33E-495A-B18C-58BC994ADE8B@viagenie.ca> <5b5f5a2a-8250-4ee5-3560-80e67b540204@posteo.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/Jobjl8koc6ByLT_mSqh5JuoQajU>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:21:52 -0000

On 2022-02-06 at 18:39 +0000, Klaus Frank wrote:
> >> Like:
> >> If the DNS64 server receives a SPF-record (within either the TXT-
> RR or the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST
> rewrites the ipv4 address according to the same rules as A-records
> are and synthesizes a new SPF record within the response that
> contains additional "ip6" entries. The original "ip4" should not be
> removed from the response.
> > I agree there is a problem. However, I can think of “interesting”
> problems to solve, like: what if the ip4 contains a prefix, like
> 192.168.1.0/25. How would you translate this into IPv6 prefix by the
> DNS-64?
> Literally, your address of 192.168.1.0 would be e.g.
> ::ffff:c0a8:0100 and the prefix would just be 25+96

Ok, what about a component of "exists:%{ir}.list.dnswl.org" ?


A rewriting DNS64 dns server would need to keep track of spf queries,
learn that *.list.dnswl.org is special with a %{ir} pattern, and
rewrite queries matching that pattern with their ipv6 prefix into the
ipv4 one. Maybe they could rewrite into a pattern
like exists:%{ir}.list.dnswl.org.spfirexists.theirdomain.com which
tells it how it should be mapped, but it gets ugly really quick.

Having the SPF validator know about their IPv6 prefix -or, simply,
translate the IPv6 back into IPv4 before passing the address to the SPF
module- looks like a cleaner approach.

Best regards

v2.23.0 | Report a Bug | By Email