diff options
author | Kim Alvefur <zash@zash.se> | 2021-03-02 22:41:59 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2021-03-02 22:41:59 +0100 |
commit | 63c92d08978dc74907a8c9a0c9acf0b9d1adec64 (patch) | |
tree | 4cbb90267257d79ff4eb1fe33037d7c2cca63d39 /net | |
parent | 69b2af382efbb4f1728aca9edd9eecb05fc74320 (diff) | |
download | prosody-63c92d08978dc74907a8c9a0c9acf0b9d1adec64.tar.gz prosody-63c92d08978dc74907a8c9a0c9acf0b9d1adec64.zip |
net.connect: Add DANE support
Disabled DANE by default, since it needs extra steps to be useful. The
built-in DNS stub resolver does not support DNSSEC so having DANE
enabled by default only leads to an extra wasted DNS request.
Diffstat (limited to 'net')
-rw-r--r-- | net/resolvers/basic.lua | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/net/resolvers/basic.lua b/net/resolvers/basic.lua index a00fbce1..2153a641 100644 --- a/net/resolvers/basic.lua +++ b/net/resolvers/basic.lua @@ -28,12 +28,23 @@ function methods:next(cb) return; end + local secure = true; + local tlsa = {}; local targets = {}; - local n = 2; + local n = 3; local function ready() n = n - 1; if n > 0 then return; end self.targets = targets; + if self.extra and self.extra.use_dane then + if secure then + self.extra.tlsa = tlsa; + self.extra.dane_hostname = self.hostname; + else + self.extra.tlsa = nil; + self.extra.dane_hostname = nil; + end + end self:next(cb); end @@ -43,6 +54,7 @@ function methods:next(cb) if not self.extra or self.extra.use_ipv4 ~= false then dns_resolver:lookup(function (answer) if answer then + secure = secure and answer.secure; for _, record in ipairs(answer) do table.insert(targets, { self.conn_type.."4", record.a, self.port, self.extra }); end @@ -56,12 +68,25 @@ function methods:next(cb) if not self.extra or self.extra.use_ipv6 ~= false then dns_resolver:lookup(function (answer) if answer then + secure = secure and answer.secure; for _, record in ipairs(answer) do table.insert(targets, { self.conn_type.."6", record.aaaa, self.port, self.extra }); end end ready(); end, self.hostname, "AAAA", "IN"); + end + + if self.extra and self.extra.use_dane == true then + dns_resolver:lookup(function (answer) + if answer then + secure = secure and answer.secure; + for _, record in ipairs(answer) do + table.insert(tlsa, record.tlsa); + end + end + ready(); + end, ("_%d._tcp.%s"):format(self.port, self.hostname), "TLSA", "IN"); else ready(); end |