> > I agree. How about just ".google.com" to match in this fashion?
> > Syntax like this is common in some MTAs, is fairly understandable,
> > and doesn't get confused with DNS wildcards.
> 
> I was about to suggest the same thing, but give 'domain_realm' in
> krb5.conf as an example :^)
> 
> At the same time, I wanted to ask for clarification whether the
> proposed change would also work in the same way:
> 
> 	The domain can be either a full name of a host or a trailing
> 	component, in the latter case the domain-string should start
> 	with a period.  The trailing component only matches hosts
> 	that are in the same domain, ie ".example.com" matches
> 	"foo.example.com", but not "foo.test.example.com".


Whoa.  I don't consider any aspect of kerberos to be guidance for
any other subsystem.