From: Raf Czlonka <rczlonka@gmail.com>
Subject: Re: unwind: support wildcard in blacklist
To: Theo de Raadt <deraadt@openbsd.org>
Cc: Otto Moerbeek <otto@drijf.net>, "Kirill A. Korinsky" <kirill@korins.ky>, florian@openbsd.org, Stuart Henderson <stu@spacehopper.org>, tech@openbsd.org
Date: Tue, 25 Jun 2024 18:32:46 +0100

On Tue, Jun 25, 2024 at 05:56:36PM BST, Theo de Raadt wrote:
> > > I agree. How about just ".google.com" to match in this fashion?
> > > Syntax like this is common in some MTAs, is fairly understandable,
> > > and doesn't get confused with DNS wildcards.
> > 
> > I was about to suggest the same thing, but give 'domain_realm' in
> > krb5.conf as an example :^)
> > 
> > At the same time, I wanted to ask for clarification whether the
> > proposed change would also work in the same way:
> > 
> > 	The domain can be either a full name of a host or a trailing
> > 	component, in the latter case the domain-string should start
> > 	with a period.  The trailing component only matches hosts
> > 	that are in the same domain, ie ".example.com" matches
> > 	"foo.example.com", but not "foo.test.example.com".
> 
> Whoa.  I don't consider any aspect of kerberos to be guidance for
> any other subsystem.

Relax, 'tis but an example of domain and dot.domain :^)

R.