IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 23:32 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D78703A0EF2 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8JPInoaeaVf for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:32:02 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAFF23A0EEC for <spfbis@ietf.org>; Mon, 7 Feb 2022 15:32:01 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 9AF92240106 for <spfbis@ietf.org>; Tue, 8 Feb 2022 00:31:56 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644276717; bh=eu5bQHH2cCUQp6KVnIzhlp1qNUXbC+m2yYFb/LSQPPI=; h=Date:Subject:To:From:From; b=UAbw/qe5BzXS2jUl4JRqp3wzBGy0/AY2zekZA57uhW4A5PVp+IeV1KSCLTlmoAsHR XiuJQiOjHjzf7W0fxZ5FSsaXnayvv0luzYaTypAnTvcMCcIixdH6pm+f53jrVcJhO0 AVuG+nJdZ6sqvAXScr4xtrw78DDSrtEh1YTlh9ZNlMUYQqcM1ABHzPPOj7oD4iawBB lea5lrnmUAaucssL/queKe8mSXejHLnH8S1Y3bXpJj8PHJ0YbQ8vVVLFIz2lMyLOYX 7jFsO/7vIm7cuCK0Pc0YFmWFosLZsypXT1axqh8Yda7j6apxTGSdC+5AEbMH9yCFqH Ie2g1hU8HtweQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Jt2V44j5rz9rxF for <spfbis@ietf.org>; Tue, 8 Feb 2022 00:31:56 +0100 (CET)
Message-ID: <3f9e531c-3b78-2c9d-3776-bf2ab297dead@posteo.de>
Date: Mon, 07 Feb 2022 23:31:55 +0000
MIME-Version: 1.0
Content-Language: en-US
To: spfbis@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <DF73F58F-D33E-495A-B18C-58BC994ADE8B@viagenie.ca> <5b5f5a2a-8250-4ee5-3560-80e67b540204@posteo.de> <e061ff19f8bf10bef43399d82a29bee48fbcee5d.camel@16bits.net> <e0f53dcc-a909-9476-691b-84184ba8761c@posteo.de> <b7fe33e0f8982bb5f4560ed546ac35bdff25e03b.camel@16bits.net> <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <1fc6a0d819c1872624dcae1e15af0384@leibzon.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080205050909090803090101"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/vpZ0Qu1nDMKnxyTr123y9pAJM1c>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:32:07 -0000

On 2022-02-08 00:22, william@leibzon.org wrote:
>
> SPF macro tricks: 
> https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/
> I wonder how many people actually use SPF macros....
>
We don't have to. This is all done by the SPF library and we just need 
to care about the DNS requests it'll perform because of this. The new 
dns queries are also SPF records. And also start with "v=spf1 ", so no 
problems as long as we'd rewrite all ip4's within it and that's the same 
as we'd already do anyway. Therefore no change to macros needed.
>
> But yeah, trying to translate these is the kind of hell that should be 
> reserved for full SPF library and not something DNS64 server should 
> probably attempt. Looks like those who want SPF to work behind NAT64 
> would have to use a library that can discovery what NAT64 prefix is 
> and translate everything.
>
> BTW, what's going on with exists and A vs AAAA? The SPF 7206 RFC says:
>
> exists           = "exists"   ":" domain-spec
>
>     The <domain-spec> is expanded as perSection 7  <https://datatracker.ietf.org/doc/html/rfc7208#section-7>.  The resulting domain
>     name is used for a DNS A RR lookup (even when the connection type is
>     IPv6).  If any A record is returned, this mechanism matches."
>
> How is this meant to work for those in IPv6 only world? And what will 
> happen when a SPF resolver behind DNS64 tries to resolve this? Is 
> DNS64 just adding AAAA while preserving the A as well for an 
> application that needs it?
>
IPv4 records are preserved. But yea, it was already noted in the 
discussion that that part is a minor problematic.

Here is a DNS64 resolver from cloudflare if you want to try it yourself: 
2606:4700:4700::64

>  On 2022-02-07 14:40, Ángel wrote:
>
>> On 2022-02-07 at 02:30 +0000, Klaus Frank wrote:
>>> Why? Such a query would resolve in the mailserver would make the DNS
>>> lookup. The DNS64 server than would synthetically add an AAAA-RR to
>>> the response.
>>
>> The issue is not that the response contains an A record but that the
>> queried domain embeds the remote IP.
>>
>> The A result is usually a 127.0.0.x address, with some "magic" meaning
>> (perhaps lost if translated into IPv6) but the main problem is querying
>> the right label.
>>
>> _______________________________________________
>> spfbis mailing list
>> spfbis@ietf.org
>> https://www.ietf.org/mailman/listinfo/spfbis
>
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

v2.23.0 | Report a Bug | By Email