From ff032aa41be7fb61fdc9b70383830e31a1f3acc3 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 12 Nov 2023 00:35:22 +0100
Subject: mod_s2s_auth_dane_in: Bail out on explicit service denial

---
 plugins/mod_s2s_auth_dane_in.lua | 1 +
 1 file changed, 1 insertion(+)

(limited to 'plugins')

diff --git a/plugins/mod_s2s_auth_dane_in.lua b/plugins/mod_s2s_auth_dane_in.lua
index e2d6743a..777fa582 100644
--- a/plugins/mod_s2s_auth_dane_in.lua
+++ b/plugins/mod_s2s_auth_dane_in.lua
@@ -70,6 +70,7 @@ module:hook("s2s-check-certificate", function(event)
 	local function fetch_tlsa(res)
 		local tlsas = {};
 		for _, rr in ipairs(res) do
+			if rr.srv.target == "." then return {}; end
 			table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure));
 		end
 		return promise.all(tlsas);
-- 
cgit v1.2.3