Changeset

--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 23:35:57 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Mon Mar 10 00:04:00 2014 +0100
@@ -14,6 +14,8 @@
 
 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
 
+local bogus = {};
+
 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
 local function pem2der(pem)
@@ -35,10 +37,12 @@
 function s2sout.try_connect(host_session, connect_host, connect_port, err)
 	local srv_hosts = host_session.srv_hosts;
 	local srv_choice = host_session.srv_choice;
-	if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then
+	if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then
 		srv_hosts[srv_choice].dane = dns_lookup(function(answer)
-			if answer and ( #answer > 0 or answer.bogus ) then
+			if answer and #answer > 0 and answer.secure then
 				srv_hosts[srv_choice].dane = answer;
+			elseif answer.bogus then
+				srv_hosts[srv_choice].dane = bogus;
 			else
 				srv_hosts[srv_choice].dane = false;
 			end
@@ -128,18 +132,20 @@
 
 	-- DANE for s2sin
 	-- Looks for TLSA at the same QNAME as the SRV record
+	-- FIXME This has a race condition
 	module:hook("s2s-stream-features", function(event)
 		local origin = event.origin;
 		if not origin.from_host or origin.dane ~= nil then return end
 
 		origin.dane = dns_lookup(function(answer)
-			if answer and ( #answer > 0 or answer.bogus ) then
-				origin.dane = answer;
+			if answer and #answer > 0 and answer.secure then
+				srv_hosts[srv_choice].dane = answer;
+			elseif answer.bogus then
+				srv_hosts[srv_choice].dane = bogus;
 			else
 				origin.dane = false;
 			end
-			-- "blocking" until TLSA reply, but no race condition
-		end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA");
+		end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA");
 	end, 1);
 end