IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

John Levine <johnl@taugh.com> Mon, 07 February 2022 18:29 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43DA83A105C for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 10:29:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=Os2E/NHg; dkim=pass (2048-bit key) header.d=taugh.com header.b=B7AAV5/t
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJNH3v7fFCaI for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 10:29:51 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1489E3A0B75 for <spfbis@ietf.org>; Mon, 7 Feb 2022 10:29:50 -0800 (PST)
Received: (qmail 68829 invoked from network); 7 Feb 2022 18:29:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=10cda.6201651c.k2202; bh=yN2vJH2draAcprKJ0eQ4Y5JSTyBMRo5RifqBXpyAd6w=; b=Os2E/NHgysOATa35k9rVjm7qJjOGG/tqGyHWWYDvE/aNguXlvPfkcKV2SMjHQmj6+iTrY6rO0udb64QdWzHvtsWuftpbjYffjEUbq3TdlqZ8fwIyw85By8SemOUZ/9t1t04wxIUyEXGX4dFo4jMc0/WX+twRjiIklVoKxsXTxEu0Y60jvzyxizGthEWJ9rn2X/pRHHrzErwuqbvp+NFl0Xb6KcJTca9u2IbA3eLz8H09CK6eBt+/+JKT3vvOR4FD2sHQbZq91SicMuvUQrJm4DifLRRTUAnUHEuipGkLfEBCttGih7xdkp5bKlMh5UM0yR+3U+qBz2NozzxLPO49Hw==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=10cda.6201651c.k2202; bh=yN2vJH2draAcprKJ0eQ4Y5JSTyBMRo5RifqBXpyAd6w=; b=B7AAV5/tX+21YdeYfPVS1NCRh/eDVAvgiszttZ7k2G/AZMpgWQMd1E6M7bu1nKc2uIHcN3CZ5grGIe8PslhAtwfsiBeLUR/UG3cUrZUx4hZNnzmyJeDex817aQrv92F+UcvMkDPHPOwN+5h7NdRc426kLpnDR3AQozHalCcZ6u17VimjFaQOuCscxlv+w9IdTiGSEHKfl3TDmAVBpNUFRn7AkVEnTVqX0QZJt20wlqqztSYodSHU7CfEaUuN7Kxwyx5qNW8tN8U6nFxcmBkF+RBYO43obrV6pJf9O8/KftdVaYz8fjmiiF20dj/iHoSIJDi2j3Tcc0uMvx5Z4Loetw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 07 Feb 2022 18:29:48 -0000
Received: by ary.qy (Postfix, from userid 501) id 92BB13670E02; Mon, 7 Feb 2022 13:29:46 -0500 (EST)
Date: Mon, 07 Feb 2022 13:29:46 -0500
Message-Id: <20220207182947.92BB13670E02@ary.qy>
From: John Levine <johnl@taugh.com>
To: spfbis@ietf.org
Cc: ajs@anvilwalrusden.com
In-Reply-To: <20220207175206.rfxlt5s5rxhubjyg@crankycanuck.ca>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/reVuGraZj6H2s_KXpse8awkcyIY>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 18:29:56 -0000

It appears that Andrew Sullivan  <ajs@anvilwalrusden.com> said:
>Hi,
>
>(Still working for someone and not speaking for them.)
>
>On Mon, Feb 07, 2022 at 12:31:28PM -0500, John Levine wrote:
>
>>But we now know that DNS64 breaks DNSSEC
>
>To be clear, we _always_ knew this ...
>
>> it breaks SPF
>
>I don't actually think that is true.  I think SPF is a case where, if you're going to use an application that depends on IPv4 literals behind a NAT64, you're going o need a NAT64-aware application.  That shouldn't be too surprising in my opinion.

It seems to me they're really the same. If the application knows it's
behind DNS64 and it sees an AAAA record with a translated address, the
application can translate it back and see if it's valid, e.g., ask for
signed DNS A records and see if the addresses match.

Of course, if you can expect the endpoint to know that much about
what's going on, you might as well skip the DNS hackery ahd do the
address translation in the endpoint's socket routines. I probably
should stop now lest someone think that was a serious suggestion.

R's,
John

v2.23.0 | Report a Bug | By Email