krb5: DNS SRV records test for invalid gTLD

As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.

Modify SRV records lookups to detect the special hostname returned in the
SRV response, skip the response, and record an appropriate error if it is detected.

Write a warning to the log (if any).

Change-Id: I47e049b617e39e49939bc92d513a547de1d04624

lib/krb5/krbhst.c

@@ -108,16 +108,32 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
 
     for(num_srv = 0, rr = r->head; rr; rr = rr->next)
 	if(rr->type == rk_ns_t_srv) {
-	    krb5_krbhst_info *hi;
-	    size_t len = strlen(rr->u.srv->target);
+	    krb5_krbhst_info *hi = NULL;
+	    size_t len;
+	    int invalid_tld = 1;
 
-	    hi = calloc(1, sizeof(*hi) + len);
+	    /* Test for top-level domain controlled interruptions */
+	    if (strncmp("your-dns-needs-immediate-attention.",
+			rr->u.srv->target, 35) == 0
+		 && strchr(&rr->u.srv->target[35], '.') == NULL) {
+		invalid_tld = 0;
+		len = strlen(rr->u.srv->target);
+		hi = calloc(1, sizeof(*hi) + len);
+	    }
 	    if(hi == NULL) {
 		rk_dns_free_data(r);
 		while(--num_srv >= 0)
 		    free((*res)[num_srv]);
 		free(*res);
 		*res = NULL;
+		if (invalid_tld) {
+		    krb5_warnx(context,
+			       "Domain lookup failed: "
+			       "Realm %s needs immediate attention "
+			       "see https://icann.org/namecollision",
+			       realm);
+		    return KRB5_KDC_UNREACH;
+		}
 		return krb5_enomem(context);
 	    }
 	    (*res)[num_srv++] = hi;