From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: unwind: support wildcard in blacklist
To: Raf Czlonka <rczlonka@gmail.com>
Cc: Otto Moerbeek <otto@drijf.net>, "Kirill A. Korinsky" <kirill@korins.ky>, florian@openbsd.org, Stuart Henderson <stu@spacehopper.org>, tech@openbsd.org
Date: Tue, 25 Jun 2024 10:56:36 -0600

> > I agree. How about just ".google.com" to match in this fashion?
> > Syntax like this is common in some MTAs, is fairly understandable,
> > and doesn't get confused with DNS wildcards.
> 
> I was about to suggest the same thing, but give 'domain_realm' in
> krb5.conf as an example :^)
> 
> At the same time, I wanted to ask for clarification whether the
> proposed change would also work in the same way:
> 
> 	The domain can be either a full name of a host or a trailing
> 	component, in the latter case the domain-string should start
> 	with a period.  The trailing component only matches hosts
> 	that are in the same domain, ie ".example.com" matches
> 	"foo.example.com", but not "foo.test.example.com".


Whoa.  I don't consider any aspect of kerberos to be guidance for
any other subsystem.