DNS0x20[1] can randomise the case of domain names returned by lookup

to force some more uniqueness in queries to reduce the likelihood
of spoofing attacks succeeding.

Normally this should be hidden from the user by the resolver, but
in some cases it can leak through. When it does, it can mess up
ssh's CanonicalizePermittedCNAMEs.

Fix this by forcing the name we received from the system resolver to
lowercase.

bz3966, report and fix by Martin D Kealey

[1] https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00

usr.bin/ssh/ssh.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.631 2026/05/31 04:24:39 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.632 2026/05/31 05:55:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -387,6 +387,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
 		    "\"%s\" => \"%s\"", *namep, cname);
 		free(*namep);
 		*namep = xstrdup(cname);
+		lowercase(*namep);
 		return 1;
 	}
 	return 0;