Network Working Group K. Frank Internet-Draft 8 February 2022 Intended status: Standards Track Expires: 12 August 2022 Extension of DNS64 (RFC6147) for SPF (RFC7208) draft-frank-dns64-spf-extension-01 Abstract This document describes interoperability issues and resolutions between DNS64 and SPF records for mail transfer agents. This RFC also aims to simplify the IPv6 migration for mail transfer agent operators. This document updates [RFC6147] and [RFC7208]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 12 August 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Frank Expires 12 August 2022 [Page 1] Internet-Draft dns64-spf-extension February 2022 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Rewriting SPF records . . . . . . . . . . . . . . . . . . . . 2 3. SPF Mechanism Definitions . . . . . . . . . . . . . . . . . . 3 4. Informative References . . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction The DNS64 [RFC6147] definition causes issues for mail transfer agent operators as it failed to consider the existance of SPF records [RFC7208]. Because of this when an SPF validator tries to validate it'll fail because the originating NAT64 [RFC6146] IP isn't within the SPF records allow-/denylist... 2. Rewriting SPF records The section 5.1 of [RFC6147] gets ammended with another subsection (5.1.9): | 5.1.9. Dealing with SPF records | | If the DNS64 server receives a SPF-record (within either the TXT- | RR or the SPF-RR [RFC4408]) containing the "ip4" mechanism, it | MUST rewrites the ipv4 address according to the same rules as an | A-RR and synthesize a new SPF record within the response that | contains it as an additional "ip6" entry. If an ip4-cidr-length | is present, it gets converted as well (adding 96 will generate the | new ip6-cidr-length). The original "ip4" mechanism MUST NOT be | removed from the response. If any "a" or "mx" mechanism contains | a dual-cidr-length without an ip6-cidr-length, it also gets | generated. E.g.: "v=spf1 a:a.example.com/24 mx:mx.example.com/24 | ip4:192.0.0.1/32 -all" becomes: "v=spf1 a:a.example.com/24/120 | mx:mx.example.com/24/120 ip4:192.0.0.1/32 ip6:64:ff9b::c000:1/128 | -all" NOTE: Everything else is done by the SPF validator (as | already defined in the standard). * When it checks a.example.com, | it'll query the A-RR and AAAA-RR and thereby get a response | containing the synthesized AAAA-RR and validation will pass | accordingly. * When it checks the NAT64 generated IPv6 source | address against the SPF, it'll find the "ip6" mechanism and also | pass. * For any macro-string, the SPF validator will generate new | DNS lookups, which will be rewritten according to this RFC and | therefore pass as expected. Frank Expires 12 August 2022 [Page 2] Internet-Draft dns64-spf-extension February 2022 3. SPF Mechanism Definitions The section 5.7 of [RFC7208] currently explicitely ignores the presence of IPv6 and to future proofe it for IPv6-only it gets updated from | This mechanism is used to construct an arbitrary domain name that | is used for a DNS A record query. to | This mechanism is used to construct an arbitrary domain name that | is used for a dual DNS A-RR and AAAA-RR query. and from | The is expanded as per Section 7. The resulting | domain name is used for a DNS A RR lookup (even when the | connection type is IPv6). If any A record is returned, this | mechanism matches. to | The is expanded as per Section 7. The resulting | domain name is used for a DNS A-RR and AAAA-RR lookup, depending | on when the host is single-stack IPv6 or IPv4. For dual-stack, an | SPF resolver MUST query both. If any A or AAAA record is | returned, this mechanism matches. 4. Informative References [RFC4408] Wong, M. and W. Schlitt, "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1", RFC 4408, DOI 10.17487/RFC4408, April 2006, . [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, April 2011, . [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van Beijnum, "DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", RFC 6147, DOI 10.17487/RFC6147, April 2011, . Frank Expires 12 August 2022 [Page 3] Internet-Draft dns64-spf-extension February 2022 [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", RFC 7208, DOI 10.17487/RFC7208, April 2014, . Author's Address Klaus Frank Email: klaus.frank@posteo.de Frank Expires 12 August 2022 [Page 4]