On Tue, Jun 25, 2024 at 05:56:36PM BST, Theo de Raadt wrote:
> > > I agree. How about just ".google.com" to match in this fashion?
> > > Syntax like this is common in some MTAs, is fairly understandable,
> > > and doesn't get confused with DNS wildcards.
> > 
> > I was about to suggest the same thing, but give 'domain_realm' in
> > krb5.conf as an example :^)
> > 
> > At the same time, I wanted to ask for clarification whether the
> > proposed change would also work in the same way:
> > 
> > 	The domain can be either a full name of a host or a trailing
> > 	component, in the latter case the domain-string should start
> > 	with a period.  The trailing component only matches hosts
> > 	that are in the same domain, ie ".example.com" matches
> > 	"foo.example.com", but not "foo.test.example.com".
> 
> Whoa.  I don't consider any aspect of kerberos to be guidance for
> any other subsystem.

Relax, 'tis but an example of domain and dot.domain :^)

R.