From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: unwind: support wildcard in blacklist
To: Otto Moerbeek <otto@drijf.net>
Cc: "Kirill A. Korinsky" <kirill@korins.ky>, OpenBSD tech <tech@openbsd.org>, florian@openbsd.org
Date: Tue, 25 Jun 2024 13:28:03 +0100

On 2024/06/25 07:20, Otto Moerbeek wrote:
> On Mon, Jun 24, 2024 at 10:55:23PM +0100, Kirill A. Korinsky wrote:
> 
> > Florian, tech@,
> > 
> > Here a diff which introduced support of wildcard inside unwind's domain
> > blacklist. Wildcard supported only at begining and as '*' which should be
> > followed by '.'.
> > 
> > So, after that this two lines:
> > 
> > google.com
> > *.google.com
> > 
> > blocks any requests to google.com and all its subdomains.
> 
> Please be aware that in DNS wildcards are already used and have a
> somehat different than expected interpretation.
> 
> https://en.wikipedia.org/wiki/Wildcard_DNS_record
> 
> This means that this should be docuemnted extra carefully, or a
> different syntax should be used that does not confuse DNS people.

I agree. How about just ".google.com" to match in this fashion?
Syntax like this is common in some MTAs, is fairly understandable,
and doesn't get confused with DNS wildcards.