IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Mark Andrews <marka@isc.org> Mon, 07 February 2022 01:46 UTC

Return-Path: <marka@isc.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C24D03A1143 for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 17:46:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=T9MaypD3; dkim=pass (1024-bit key) header.d=isc.org header.b=Dr0o3ta8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLufP3p7a-eO for <spfbis@ietfa.amsl.com>; Sun, 6 Feb 2022 17:46:05 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F7A3A1142 for <spfbis@ietf.org>; Sun, 6 Feb 2022 17:46:04 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id A05EE3AB009; Mon, 7 Feb 2022 01:46:02 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org A05EE3AB009
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1644198362; bh=CSFrNF1UizFctoTwKDx52M7YuXc//hKSsrYyrVWydzU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=T9MaypD3RnRkqrvTxWpkeuAw3PF4aHFDK/2ZfmTIiqyYn9re49zoBjgx8irzbleqo A5rXzeNagB73z6KOykm58JoXTD+E4UxVEOlagsxzzEf/YM5u8nIhvvfWNZAF/nJ9kS agItQ6JoIUz1qszJqVCzQV2H9O9f9rHzOExI1cF0=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 96207FE5318; Mon, 7 Feb 2022 01:46:02 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 67DD2FE531A; Mon, 7 Feb 2022 01:46:02 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 67DD2FE531A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1644198362; bh=nUvyev1vVYNorikzoaVa/uYkU8thq1zD5xnYcNyHQOk=; h=Mime-Version:From:Date:Message-Id:To; b=Dr0o3ta8j64EnieWljEEH8/f53vz5+Gp0ROgZjLRv3jkfcBf2IOFzoYwL4aPgpemF onTSdAJqAhCj4ZG+a4K8JpJ3siRWAI9oNu5ciAnOfP/bR/oQhTmfa40iM2DYqc3Sco 0vKDSj9U4hdGPlP+J94DGRCt5Md3591yWkZRYCxo=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 4ZF0VRgTstWX; Mon, 7 Feb 2022 01:46:02 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id C03C8FE5318; Mon, 7 Feb 2022 01:46:01 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <f2fccd74-355e-12b4-6b8a-539f61561a12@posteo.de>
Date: Mon, 07 Feb 2022 12:45:57 +1100
Cc: spfbis@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E633D5D6-AFE1-4BDD-B202-1ED90A1F9CEF@isc.org>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <8021771.rLJEViv2lv@localhost> <85cb8ec0-4316-c4db-4aed-2d49fda46f49@posteo.de> <45673006.FIhfuaby8d@localhost> <20220206224715.kzynnbwkt5a26wii@crankycanuck.ca> <7ddee9f68efbef4bcf2dbfef69b0766a@leibzon.org> <f2fccd74-355e-12b4-6b8a-539f61561a12@posteo.de>
To: Klaus Frank <klaus.frank@posteo.de>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/qh-jAsCnbREgJEZb5634fTUPuZo>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 01:46:12 -0000

Despite what you quote here, DNS64 is incompatible with DNSSEC because it hijacked the CD bit for a different purpose.  For a DNSSEC validator to work through another nameserver it needs to be able to send both CD=0 and CD=1
requests WITHOUT the records being modified.  The DNS64 working group was told this at the time but refused to listen.  

CD=1 to handle bad time / bad trust anchors in the upstream nameservers.
CD=0 to handle spoofed / expired responses being sent to the upstream nameservers.

in BOTH cases the client validates the responses.  If the validation fails the first way, it should attempt the
request again with the CD bit in the other state.  If the second query fails then you have an actual DNSSEC failure.

Below was just wishful thinking upon behalf of the DNS64 working group.  They wanted a signal that meant the client is performing validation and refused to accept “if DO=1 then you have to assume the client is validating."

   3.  A security-aware and non-validating DNS64 receives a query with
       the DO bit set and the CD bit clear.  Such a resolver is not
       validating responses, likely due to local policy (see [RFC4035],
       Section 4.2).  For that reason, this case amounts to the same as
       the previous case, and no validation happens.

Making CD into a modify the response signal was/is incompatible with how DNSSEC uses CD.

Mark

> On 7 Feb 2022, at 12:07, Klaus Frank <klaus.frank@posteo.de> wrote:
> 
> 
> On 2022-02-07 01:42, william@leibzon.org wrote:
>> 
>> Yeah, I wasn't thrilled with the idea of SPF using TXT record way back when. It opened it for quite a few others who followed. Putting ip addresses there though is not something that is done for any other protocol or software I can immediately think of.
>> 
>> I'm curious, how does DNS64 inter-operates with DNSSEC? Would that not break it and make DNSSEC folks very uncomfortable about what others could decide to do?
>> 
> Basically by offloading it towards the DNS64 server.
> 
> https://datatracker.ietf.org/doc/html/rfc6147#section-6.2
> 
> 6.2.  DNSSEC Validators and DNS64
> 
>    An existing DNSSEC validator (i.e., one that is unaware of DNS64)
>    might reject all the data that comes from DNS64 as having been
>    tampered with (even if it did not set CD when querying). *If it is**
> **   necessary to have validation behind the DNS64, then the validator**
> **   must know how to perform the DNS64 function itself*. Alternatively,
>    the validating host may establish a trusted connection with a DNS64,
>    and allow the DNS64 recursive resolver to do all validation on its
>    behalf.
> 
>> I think it could be helpful to collect various protocol operational and similar issues for those running mail servers (and other servers) behind NAT64 and write informational RFC which would be soft of experimental best practice. I'd expect that some server software would have to add special features to be used in this setup.
>> 
> "special features" is exactly what I wanted to avoid. Also I don't know if it's strictly necessary to have a dedicated RFC for how to do the migration. Besides this issue with the SPF record it's basically the same as for any other server application. Use stateless NAT64 (aka. IPv4aaS) to have a dedicated public IPv4. Put that IPv4 (prefix) into the SPF record as usual. And for now disable the SPF validation for inbound mails. The only really noteworthy thing is with filtering stuff like SIEVE that these need to be updated to include their mapped IPv6 addresses or similar. Everything else just works because of NAT64 and DNS64...
> 
>> On 2022-02-06 14:47, Andrew Sullivan wrote:
>> 
>>> Hi,
>>> 
>>> I'm one of the primary offenders behind DNS64.  I work for the Internet Society but I am not speaking for them (or anyone eles) right now.
>>> 
>>> On Sun, Feb 06, 2022 at 02:57:08PM -0500, Scott Kitterman wrote:
>>> 
>>>> I think your original suggestion that an SPF record be modified by the DNS64
>>>> server to add ip6: mechanisms with <prefix> + <address> is a reasonable path
>>>> forward, but I think it's really an RFC 6147 discussion, not so much RFC 7208.
>>> 
>>> The problem with this is that it's importing the DNS64 intimate knowledge of this protocol for TXT records, which means in effect that DNS64 needs to start parsing arbitrary data in TXT records.  (There is a reason DNS weenies always got upset about ignoring the strong typing in DNS, and this is an example of it.)
>>> 
>>> DNS64, to be honest, was always sort of a hack that was intended to make transition to v6 easier.  It really basically depended on the strong data typing of A, AAAA, and PTR records in order to give it clear places to insert itself.  "Look at every TXT record," doesn't really support that plan.  I never thought we were designing it for long life or high degrees of robustness, and I think it is likely to be extremely difficult to operate a modern mail server on v6-only infrastructure and be able to talk to v4-only mail servers.  In any case, I guess it would be _possible_ to teach a DNS64 server to parse and edit TXT records on the fly, but the idea that this is going to be limited to SPF is, I suspect, a false hope.  For that reason, my reaction is that it wouldn't be a great idea to do. I nevertheless sympathize with the desire, even though I am made nervous about the implications.
>>> 
>>>> It is not, however, without risks.  RFC 7208 Section 3.4 gives advice on SPF
>>>> record size.  Your proposed approach would increase the record size, which, in
>>>> theory, could be problematic.  It might be that anything running on an IPv6
>>>> only network is modern enough that this isn't actually a problem.  I don't
>>>> know.
>>> 
>>> I'd be especially worried about RRset size, because a lot of stuff in contemporary operations is jammed into TXT records (all those application keys, for instance).  I can imagine cases where the change could move the response size across the response size boundary, forcing truncation and TCP fallback.
>>> 
>>> Best regards,
>>> 
>>> A
>> 
>> _______________________________________________
>> spfbis mailing list
>> spfbis@ietf.org
>> https://www.ietf.org/mailman/listinfo/spfbis
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email