From 07ef92dbd8e01a3ad2f20fc085a7b974ff6bfeb4 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 18 Jul 2021 23:25:45 +0200
Subject: net.resolvers.service: Only do DANE with secure SRV records

If this seems backwards, that' because it is but the API isn't really
designed to easily pass along details from each resolution step onto the
next.
---
 net/resolvers/service.lua | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'net')

diff --git a/net/resolvers/service.lua b/net/resolvers/service.lua
index d74adf06..204c8a7f 100644
--- a/net/resolvers/service.lua
+++ b/net/resolvers/service.lua
@@ -50,6 +50,10 @@ function methods:next(cb)
 			answer = {};
 		end
 		if answer then
+			if self.extra and not answer.secure then
+				self.extra.use_dane = false;
+			end
+
 			if #answer == 0 then
 				if self.extra and self.extra.default_port then
 					table.insert(targets, { self.hostname, self.extra.default_port, self.conn_type, self.extra });
-- 
cgit v1.2.3