From 325464eb11a4b6c31430c6a1d40db74207802cd4 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 21 Dec 2022 23:46:37 +0100
Subject: net.resolvers.service: Fix reporting of Bogus DNSSEC results

The order of checks led to Bogus results being reported with a generic
"unable to resolve service".  This had no practical effects as such
results are simply empty and the process would stop there.

Tested by attempting to establish s2s with dnssec-bogus.sg and observing
the error reply.
---
 net/resolvers/service.lua | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'net')

diff --git a/net/resolvers/service.lua b/net/resolvers/service.lua
index a7ce76a3..1e2aaeec 100644
--- a/net/resolvers/service.lua
+++ b/net/resolvers/service.lua
@@ -111,12 +111,15 @@ function methods:next(cb)
 			answer = {};
 		end
 		if answer then
-			if self.extra and not answer.secure then
-				self.extra.use_dane = false;
-			elseif answer.bogus then
+			if answer.bogus then
 				self.last_error = "Validation error in SRV lookup";
 				ready();
 				return;
+			elseif not answer.secure then
+				if self.extra then
+					-- Insecure results, so no DANE
+					self.extra.use_dane = false;
+				end
 			end
 
 			if #answer == 0 then
-- 
cgit v1.2.3