On Tue, Jun 25, 2024 at 01:28:03PM BST, Stuart Henderson wrote:
> On 2024/06/25 07:20, Otto Moerbeek wrote:
> > On Mon, Jun 24, 2024 at 10:55:23PM +0100, Kirill A. Korinsky wrote:
> > 
> > > Florian, tech@,
> > > 
> > > Here a diff which introduced support of wildcard inside unwind's domain
> > > blacklist. Wildcard supported only at begining and as '*' which should be
> > > followed by '.'.
> > > 
> > > So, after that this two lines:
> > > 
> > > google.com
> > > *.google.com
> > > 
> > > blocks any requests to google.com and all its subdomains.
> > 
> > Please be aware that in DNS wildcards are already used and have a
> > somehat different than expected interpretation.
> > 
> > https://en.wikipedia.org/wiki/Wildcard_DNS_record
> > 
> > This means that this should be docuemnted extra carefully, or a
> > different syntax should be used that does not confuse DNS people.
> 
> I agree. How about just ".google.com" to match in this fashion?
> Syntax like this is common in some MTAs, is fairly understandable,
> and doesn't get confused with DNS wildcards.

I was about to suggest the same thing, but give 'domain_realm' in
krb5.conf as an example :^)

At the same time, I wanted to ask for clarification whether the
proposed change would also work in the same way:

	The domain can be either a full name of a host or a trailing
	component, in the latter case the domain-string should start
	with a period.  The trailing component only matches hosts
	that are in the same domain, ie ".example.com" matches
	"foo.example.com", but not "foo.test.example.com".

Cheers,

Raf