Prevent binding to hostnames with dots under *.tuns.sh

[mac-chaffee]

Sish supports binding to custom domains like this:

ssh -i ./correct_key -R mac-test.macchaffee.com:80:localhost:8000 tuns.sh

Which works if you have the _sish.mac-test.macchaffee.com TXT record created and the key fingerprint matches.

But if domain validation fails (either the TXT record is missing or the fingerprints don't match) sish still creates the tunnel:

$ ssh -i ./incorrect_key -R mac-test.macchaffee.com:80:localhost:8000 tuns.sh                                      
Enter passphrase for key '/Users/mac/.ssh/id_ed25519_homelab': 
Press Ctrl-C to close the session.

Starting SSH Forwarding service for http:80. Forwarded connections can be accessed via the following methods:
Service console can be accessed here: https://mac-mac-test.macchaffee.com.tuns.sh/_sish/console?x-authorization=<omitted>
HTTP: http://mac-mac-test.macchaffee.com.tuns.sh
HTTPS: https://mac-mac-test.macchaffee.com.tuns.sh

Because the domain has dots in it, the wildcard cert for *.tuns.sh won't work, so a new Let's Encrypt cert is provisioned, which is bad because the cert counts towards tuns.sh's Let's Encrypt rate limit. Not a huge deal since the worst a malicious user could do is prevent you from launching new TLS-protected sites on subdomains of tuns.sh (doesn't affect renewals of existing certs).

I think ideally, sish should return an error if someone tries to bind to a *.tuns.sh domain with dots in it. This would make it easier to debug DNS validation errors, while also preventing people from hitting Let's Encrypt rate limits on your behalf. Thoughts?