IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 00:09 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFB603A102B for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 16:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIMnTA6gUfDz for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 16:09:17 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 334103A1029 for <spfbis@ietf.org>; Sun, 6 Feb 2022 16:09:17 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 46507240101 for <spfbis@ietf.org>; Mon, 7 Feb 2022 01:09:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644192554; bh=TkpTPjWjKy1mlTr4wHn5wV0xAluKzBXb322V9ZivDVY=; h=Date:Subject:To:From:From; b=p9D4pTprMkx0TXeefFfKWxdm6Vl+8Wdthjd4uIKnhOAhwHUFDe5xY7B+JPYa0v2il F5JwjSVd1r7CUdzcLifUKC9pSL+vWmqsQNARdwn2ElqMvVI1LrZq5pipc3XJWBq6IV AvRJz1CJxRUqvt/k2+R6u21VbRSJ6rJpzEYli/WdQo98k2kLiqXz2LiiDEV9iBEimK PX3UNpiYDHixOgzL9ITcwYGnKZlgIplWQIHLH5efu5E425BGPP68BndxmzHJii1Gd+ 6WQCrUXGcmbjavpwVc+9Z8Kvw3tQQoytmuxyXns09nWJaaMmk4vlome3kY1IKXJgs9 VlmAKh4R4wMPQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsRMY2vSXz6tpL for <spfbis@ietf.org>; Mon, 7 Feb 2022 01:09:13 +0100 (CET)
Message-ID: <b8e38c6a-aee9-8f86-350c-636c2f9d5efc@posteo.de>
Date: Mon, 07 Feb 2022 00:09:11 +0000
MIME-Version: 1.0
Content-Language: en-US
To: spfbis@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <8021771.rLJEViv2lv@localhost> <85cb8ec0-4316-c4db-4aed-2d49fda46f49@posteo.de> <45673006.FIhfuaby8d@localhost> <20220206224715.kzynnbwkt5a26wii@crankycanuck.ca>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <20220206224715.kzynnbwkt5a26wii@crankycanuck.ca>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060403050104050805000808"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/oPBs9qOLX_VwopB2R9kKiavmVGk>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 00:09:24 -0000

On 2022-02-06 23:47, Andrew Sullivan wrote:
> It really basically depended on the strong data typing of A, AAAA, and 
> PTR records in order to give it clear places to insert itself.  "Look 
> at every TXT record," doesn't really support that plan. 

But it wouldn't be "every TXT record". If it doesn't start with "v=spf1" 
it can be passed as is and does not require parsing. And even then it's 
also a defined structure and not "arbitrary".

On 2022-02-06 23:47, Andrew Sullivan wrote:
> I never thought we were designing it for long life or high degrees of 
> robustness, and I think it is likely to be extremely difficult to 
> operate a modern mail server on v6-only infrastructure and be able to 
> talk to v4-only mail servers.

Actually the only limitation for that is the SPF record not being 
updated by DNS64... And for outgoing it's not an issue at all. A 
stateless NAT64 mapping is enough...

A combination of stateless and statefull NAT64 is enough to cover all 
the ugly IPv4 stuff. Also because IPv4 was already highly NAT44ed 
anyway. There is no difference between a mail server behind a NAT44 and 
one behind a NAT64 as long as the correct public facing IP is used in 
the configuration of one owns SPF record...

But tbh, in some situations it would be very helpful if I could just 
swap the calls for generating IPv4 packets by one that generates IPv6 
packets instead. I thought about writing something that works via 
LD_PRELOAD similarly to torsocks or IP2Unix, but it went way over my 
head to make it anything close to performant and reliable...

On 2022-02-06 23:47, Andrew Sullivan wrote:
> but the idea that this is going to be limited to SPF is, I suspect, a 
> false hope.  For that reason, my reaction is that it wouldn't be a 
> great idea to do.
What do you have in mind? What else would be there? From my point of few 
the only thing missing for a complete DNS64 rewrite is the SPF record. 
As nothing else contains IP addresses but only dns names. I've looked at 
the other record types. Did I miss something?

v2.23.0 | Report a Bug | By Email