Extraneous configurations MUST have invalid DNS names?

[ekr]

Suggested in AD review.

[ekr]

Also, should we provide guidance on how to select these names. Paul writes:

Should it use known-invalid DNS names, eg "invalid:com", or some randomized long valid but unlikely DNS name? Guidaance would be useful.