From 325464eb11a4b6c31430c6a1d40db74207802cd4 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 21 Dec 2022 23:46:37 +0100 Subject: net.resolvers.service: Fix reporting of Bogus DNSSEC results The order of checks led to Bogus results being reported with a generic "unable to resolve service". This had no practical effects as such results are simply empty and the process would stop there. Tested by attempting to establish s2s with dnssec-bogus.sg and observing the error reply. --- net/resolvers/service.lua | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/resolvers/service.lua b/net/resolvers/service.lua index a7ce76a3..1e2aaeec 100644 --- a/net/resolvers/service.lua +++ b/net/resolvers/service.lua @@ -111,12 +111,15 @@ function methods:next(cb) answer = {}; end if answer then - if self.extra and not answer.secure then - self.extra.use_dane = false; - elseif answer.bogus then + if answer.bogus then self.last_error = "Validation error in SRV lookup"; ready(); return; + elseif not answer.secure then + if self.extra then + -- Insecure results, so no DANE + self.extra.use_dane = false; + end end if #answer == 0 then -- cgit v1.2.3