From 8c7672a550946d7e2554381a195048ab8c8e20bc Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 8 Oct 2019 19:35:51 +0200
Subject: [PATCH] ud-mailgate: block punycode DNS entries

Keep an exception for a single existing domain.
---
 ud-mailgate | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ud-mailgate b/ud-mailgate
index 0d6d330..baaf08a 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -371,6 +371,10 @@ def DoDNS(Str, Attrs, DnRecord):
        aaaarecord is None:
         return None
 
+    # Check for punycode.  We ought to validate it before we allow it in our zone.
+    if Str.lower().startswith('xn--') and Str.lower() != 'xn--mnchen-3ya':
+        return "Punycode not allowed: " + Str
+
     # Check if the name is already taken
     G = re.match(r'^([-\w+]+)\s', Str)
     if G is None:
-- 
2.20.1