IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

william@leibzon.org Mon, 07 February 2022 23:22 UTC

Return-Path: <william@leibzon.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9364E3A0FBE for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:22:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvdHPURI2V3d for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:22:21 -0800 (PST)
Received: from relay5.hostedemail.com (relay5.hostedemail.com [64.99.140.39]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC623A0EDF for <spfbis@ietf.org>; Mon, 7 Feb 2022 15:22:15 -0800 (PST)
Received: from omf04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 4F08921BA6; Mon, 7 Feb 2022 23:22:14 +0000 (UTC)
Received: from [HIDDEN] (Authenticated sender: william@leibzon.org) by omf04.hostedemail.com (Postfix) with ESMTPA id EA90E20027; Mon, 7 Feb 2022 23:22:13 +0000 (UTC)
MIME-Version: 1.0
Date: Mon, 07 Feb 2022 15:22:13 -0800
From: william@leibzon.org
To: Ángel <angel@16bits.net>
Cc: spfbis@ietf.org
In-Reply-To: <b7fe33e0f8982bb5f4560ed546ac35bdff25e03b.camel@16bits.net>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <DF73F58F-D33E-495A-B18C-58BC994ADE8B@viagenie.ca> <5b5f5a2a-8250-4ee5-3560-80e67b540204@posteo.de> <e061ff19f8bf10bef43399d82a29bee48fbcee5d.camel@16bits.net> <e0f53dcc-a909-9476-691b-84184ba8761c@posteo.de> <b7fe33e0f8982bb5f4560ed546ac35bdff25e03b.camel@16bits.net>
Message-ID: <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
X-Sender: william@leibzon.org
Content-Type: multipart/alternative; boundary="=_b4f0b268ce40528b133c0d5a6febf659"
X-Rspamd-Queue-Id: EA90E20027
X-Stat-Signature: zx8t4addxj76cmhrp6dwwgryjdjxec1k
X-Rspamd-Server: rspamout08
X-Session-Marker: 77696C6C69616D406C6569627A6F6E2E6F7267
X-Session-ID: U2FsdGVkX19xwLW1hhg66hLWp/Sd2PvakmNvrbXIxj0=
X-HE-Tag: 1644276133-866703
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/SkEa4cW27EQfPBKz2aYXLmG4xbk>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:22:28 -0000


SPF macro tricks: 
https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/
I wonder how many people actually use SPF macros....

But yeah, trying to translate these is the kind of hell that should be 
reserved for full SPF library and not something DNS64 server should 
probably attempt. Looks like those who want SPF to work behind NAT64 
would have to use a library that can discovery what NAT64 prefix is and 
translate everything.

BTW, what's going on with exists and A vs AAAA? The SPF 7206 RFC says:

exists           = "exists"   ":" domain-spec

    The <domain-spec> is expanded as per Section 7 [1].  The resulting 
domain
    name is used for a DNS A RR lookup (even when the connection type is
    IPv6).  If any A record is returned, this mechanism matches."

How is this meant to work for those in IPv6 only world? And what will 
happen when a SPF resolver behind DNS64 tries to resolve this? Is DNS64 
just adding AAAA while preserving the A as well for an application that 
needs it?

  On 2022-02-07 14:40, Ángel wrote:

> On 2022-02-07 at 02:30 +0000, Klaus Frank wrote:
> 
>> Why? Such a query would resolve in the mailserver would make the DNS
>> lookup. The DNS64 server than would synthetically add an AAAA-RR to
>> the response.
> 
> The issue is not that the response contains an A record but that the
> queried domain embeds the remote IP.
> 
> The A result is usually a 127.0.0.x address, with some "magic" meaning
> (perhaps lost if translated into IPv6) but the main problem is querying
> the right label.
> 
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis


Links:
------
[1] https://datatracker.ietf.org/doc/html/rfc7208#section-7

v2.23.0 | Report a Bug | By Email