abort connection on '.' target replies in SRV

Commit 3af3ac2f5ec007badeded46a94be2bd06b9917a2 (released in 1.3~pre1)
implements proper fallback for SRV, but that works actually too good
as the RFC defines that such an SRV record should indicate that the
server doesn't provide this service and apt should respect this.

The solution is hence to fail again as requested even if that isn't what
the user (and perhaps even the server admins) wanted. At least we will
print a message now explicitly mentioning SRV to point people in the
right direction.

Reported-In: https://bugs.kali.org/view.php?id=3525
Reported-By: Raphaël Hertzog

methods/connect.cc

@@ -63,6 +63,8 @@ void RotateDNS()
 									/*}}}*/
 static bool ConnectionAllowed(char const * const Service, std::string const &Host)/*{{{*/
 {
+   if (unlikely(Host.empty())) // the only legal empty host (RFC2782 '.' target) is detected by caller
+      return false;
    if (APT::String::Endswith(Host, ".onion") && _config->FindB("Acquire::BlockDotOnion", true))
    {
       // TRANSLATOR: %s is e.g. Tor's ".onion" which would likely fail or leak info (RFC7686)
@@ -298,7 +300,13 @@ bool Connect(std::string Host,int Port,const char *Service,
    {
       SrvRecords.clear();
       if (_config->FindB("Acquire::EnableSrvRecords", true) == true)
+      {
          GetSrvRecords(Host, DefPort, SrvRecords);
+	 // RFC2782 defines that a lonely '.' target is an abort reason
+	 if (SrvRecords.size() == 1 && SrvRecords[0].target.empty())
+	    return _error->Error("SRV records for %s indicate that "
+		  "%s service is not available at this domain", Host.c_str(), Service);
+      }
    }
 
    size_t stackSize = 0;