When we retrieve trust topology from a trusted Active Directory forest root, UPN suffixes are compacted by AD DC into a list of top level names (TLNs) in a such way that only the most superior one is left in the topology list.

E.g. for UPN suffixes ad.test, temporary.ad.test, some.ad.test, trust topology will advertise only ad.test. The advertised TLN must be considered a superior to any UPN suffix ending with with and thus any principal that use subordinate suffix would need to be routed to a domain associated with that TLN.

This logic has been fixed in FreeIPA with commit 8b6d1ab but the patchset contained a bug where a domain with associated UPN suffixes may crash a KDC if the number of UPN suffixes is greater than a total number of trusted domains known to FreeIPA.