net.resolvers.service: Only do DANE with secure SRV records
If this seems backwards, that' because it is but the API isn't really
designed to easily pass along details from each resolution step onto the
next.
--- a/net/resolvers/service.lua Sun Jul 18 22:46:57 2021 +0200
+++ b/net/resolvers/service.lua Sun Jul 18 23:25:45 2021 +0200
@@ -50,6 +50,10 @@
answer = {};
end
if answer then
+ if self.extra and not answer.secure then
+ self.extra.use_dane = false;
+ end
+
if #answer == 0 then
if self.extra and self.extra.default_port then
table.insert(targets, { self.hostname, self.extra.default_port, self.conn_type, self.extra });