Project

General

Profile

Actions
Copy link

Bug #13686

closed

Unbound breaks SPF

Added by Frederic Steinfels over 1 year ago. Updated over 1 year ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
All

Description

It seems the unbound module is not compliant with the SPF standard.

When I do the lookup on the pfsense unbound server, I will get this answer:

dig @192.168.99.254 85.222.158.221._spf.mta.salesforce.com

; <<>> DiG 9.16.33-RH <<>> @192.168.99.254 85.222.158.221._spf.mta.salesforce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 63551
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;85.222.158.221._spf.mta.salesforce.com. IN A

;; AUTHORITY SECTION:
mta.salesforce.com. 86400 IN NS dns05.salesforce.com.
mta.salesforce.com. 86400 IN NS dns03.salesforce.com.
mta.salesforce.com. 86400 IN NS dns04.salesforce.com.
mta.salesforce.com. 86400 IN NS dns02.salesforce.com.
mta.salesforce.com. 86400 IN NS dns01.salesforce.com.
mta.salesforce.com. 86400 IN NS ns4.salesforce.com.
mta.salesforce.com. 86400 IN NS ns3.salesforce.com.
mta.salesforce.com. 86400 IN NS ns2.salesforce.com.
mta.salesforce.com. 86400 IN NS ns1.salesforce.com.
mta.salesforce.com. 86400 IN NS dns06.salesforce.com.

;; Query time: 135 msec
;; SERVER: 192.168.99.254#53(192.168.99.254)
;; WHEN: Tue Nov 22 23:53:52 CET 2022
;; MSG SIZE rcvd: 259

When I ask another public DNS, I will get this answer:

dig @213.144.129.20 85.222.158.221._spf.mta.salesforce.com

; <<>> DiG 9.16.33-RH <<>> @213.144.129.20 85.222.158.221._spf.mta.salesforce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 26816
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;85.222.158.221._spf.mta.salesforce.com. IN A

;; ANSWER SECTION:
85.222.158.221._spf.mta.salesforce.com. 80170 IN A 127.0.0.9

;; Query time: 3 msec
;; SERVER: 213.144.129.20#53(213.144.129.20)
;; WHEN: Tue Nov 22 23:59:23 CET 2022
;; MSG SIZE rcvd: 83

So for some reason, the result 127.0.0.9 is missing in the result from unbound!

I was checking the resolver.log file and I found this:

Nov 22 23:53:52 gw unbound87835: [87835:8] debug: sanitize: removing public name with private address <85.222.158.221._spf.mta.salesforce.com.> 127.0.0.9#53

However, this website https://dmarcian.com/spf-syntax-table/ says that the response 127.0.0.x is perfectly valid.

As good the idea is to do the sanitation, in this respect it breaks SPF and the sanitation should not happen, at least not by default.

Actions
Copy link

Also available in: Atom PDF