From d6c92d3f07efbfe90ca20b483a3c66bce1d9afad Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Fri, 14 Mar 2025 21:35:39 +0200
Subject: [PATCH] Dig: carefully check if the server name for SNI is a hostname

Previously the code would not check if the string intended to be used
for SNI is a hostname.

(cherry picked from commit 16a306687a2049dff0bb4139165fc22381905643)
---
 bin/dig/dighost.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 87dbd5b80d..90e8f0c0ad 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -2793,8 +2793,19 @@ _cancel_lookup(dig_lookup_t *lookup, const char *file, unsigned int line) {
 
 static inline const char *
 get_tls_sni_hostname(dig_query_t *query) {
-	return query->lookup->tls_hostname_set ? query->lookup->tls_hostname
-					       : query->userarg;
+	const char *hostname = query->lookup->tls_hostname_set
+				       ? query->lookup->tls_hostname
+				       : query->userarg;
+
+	if (query->lookup->tls_hostname_set) {
+		return query->lookup->tls_hostname;
+	}
+
+	if (isc_tls_valid_sni_hostname(hostname)) {
+		return hostname;
+	}
+
+	return NULL;
 }
 
 static isc_tlsctx_t *