Extension of DNS64 (RFC6147) for SPF (RFC7208)

Internet-Draft	dns64-spf-extension	February 2022
Frank	Expires 12 August 2022	[Page]

Abstract

This document describes interoperability issues and resolutions between DNS64 and SPF records for mail transfer agents. This RFC also aims to simplify the IPv6 migration for mail transfer agent operators.¶

This document updates [RFC6147] and [RFC7208].¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 12 August 2022.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶

1. Introduction

The DNS64 [RFC6147] definition causes issues for mail transfer agent operators as it failed to consider the existance of SPF records [RFC7208]. Because of this when an SPF validator tries to validate it'll fail because the originating NAT64 [RFC6146] IP isn't within the SPF records allow-/denylist...¶

2. Rewriting SPF records

The section 5.1 of [RFC6147] gets ammended with another subsection (5.1.9):¶

5.1.9. Dealing with SPF records If the DNS64 server receives a SPF-record (within either the TXT-RR or the SPF-RR [RFC4408]) containing the "ip4" mechanism, it MUST rewrites the ipv4 address according to the same rules as an A-RR and synthesize a new SPF record within the response that contains it as an additional "ip6" entry. If an ip4-cidr-length is present, it gets converted as well (adding 96 will generate the new ip6-cidr-length). The original "ip4" mechanism MUST NOT be removed from the response. If any "a" or "mx" mechanism contains a dual-cidr-length without an ip6-cidr-length, it also gets generated. E.g.: "v=spf1 a:a.example.com/24 mx:mx.example.com/24 ip4:192.0.0.1/32 -all" becomes: "v=spf1 a:a.example.com/24/120 mx:mx.example.com/24/120 ip4:192.0.0.1/32 ip6:64:ff9b::c000:1/128 -all" NOTE: Everything else is done by the SPF validator (as already defined in the standard). * When it checks a.example.com, it'll query the A-RR and AAAA-RR and thereby get a response containing the synthesized AAAA-RR and validation will pass accordingly. * When it checks the NAT64 generated IPv6 source address against the SPF, it'll find the "ip6" mechanism and also pass. * For any macro-string, the SPF validator will generate new DNS lookups, which will be rewritten according to this RFC and therefore pass as expected.¶

3. SPF Mechanism Definitions

The section 5.7 of [RFC7208] currently explicitely ignores the presence of IPv6 and to future proofe it for IPv6-only it gets updated from¶

This mechanism is used to construct an arbitrary domain name that is used for a DNS A record query.¶

to¶

This mechanism is used to construct an arbitrary domain name that is used for a dual DNS A-RR and AAAA-RR query.¶

and from¶

The <domain-spec> is expanded as per Section 7. The resulting domain name is used for a DNS A RR lookup (even when the connection type is IPv6). If any A record is returned, this mechanism matches.¶

to¶

The <domain-spec> is expanded as per Section 7. The resulting domain name is used for a DNS A-RR and AAAA-RR lookup, depending on when the host is single-stack IPv6 or IPv4. For dual-stack, an SPF resolver MUST query both. If any A or AAAA record is returned, this mechanism matches.¶

4. Informative References

[RFC4408]: Wong, M. and W. Schlitt, "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1", RFC 4408, DOI 10.17487/RFC4408, April 2006, <https://www.rfc-editor.org/info/rfc4408>.
[RFC6146]: Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6147]: Bagnulo, M., Sullivan, A., Matthews, P., and I. van Beijnum, "DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", RFC 6147, DOI 10.17487/RFC6147, April 2011, <https://www.rfc-editor.org/info/rfc6147>.
[RFC7208]: Kitterman, S., "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", RFC 7208, DOI 10.17487/RFC7208, April 2014, <https://www.rfc-editor.org/info/rfc7208>.