mod_s2s_auth_certs: Validate certificates against secure SRV targets Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on.

net.resolvers.basic: Record hostname coming from secure SRV records Will be useful even later...

net.resolvers.service: Record DNSSEC security status of SRV records Will be useful later.

net.resolvers.service: Fix reporting of Bogus DNSSEC results The order of checks led to Bogus results being reported with a generic "unable to resolve service". This had no practical effects as such results are simply empty and the process would stop there. Tested by attempting to establish s2s with dnssec-bogus.sg and observing the error reply.

Revert unintentionally committed parts of 12bd40b8e105

mod_s2s: Retrieve stanza size limit from peer for bidi connections Having mod_s2s know about the bidi namespace is perhaps a bit awkward but putting this in mod_s2s_bidi would be more awkward as it has nothing to do with limits. Some indirection event could be added in the future.

mod_s2s: Advertise stream features on bidi connections

mod_s2s_bidi: Add provisions for advertising features to bidi peers As introduced in XEP-xxxx: Stream Limits Advertisement

mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits Advertisement Thanks MattJ

mod_s2s: Avoid sending too large stanzas Just dropping them isn't great but hopefully something more sensible can be done in the future. Will need work to ensure that this signal is handled correctly in sending modules etc.