--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu Mar 06 01:10:21 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Mar 07 23:30:34 2014 +0100
@@ -1,7 +1,9 @@
 -- mod_s2s_auth_dane
+-- Copyright (C) 2013-2014 Kim Alvefur
 --
--- Between the DNS lookup and the certificate validation, there is a race condition.
--- Solving that probably requires changes to mod_s2s, like using util.async
+-- This file is MIT/X11 licensed.
+--
+-- Could be done much cleaner if mod_s2s was using util.async
 
 
 module:set_global();
@@ -11,7 +13,6 @@
 local base64 = require"util.encodings".base64;
 
 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
-local _try_connect = s2sout.try_connect;
 
 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
@@ -27,6 +28,9 @@
 -- No SRV records
 -- No encryption offered
 
+-- This function is called when a new SRV target has been picked
+-- the original function does A/AAAA resolution before continuing
+local _try_connect = s2sout.try_connect;
 function s2sout.try_connect(host_session, connect_host, connect_port, err)
 	local srv_hosts = host_session.srv_hosts;
 	local srv_choice = host_session.srv_choice;
@@ -97,6 +101,7 @@
 			end
 		end
 		if not match_found then
+			-- No TLSA matched or response was bogus
 			(session.log or module._log)("warn", "DANE validation failed");
 			session.cert_identity_status = "invalid";
 			session.cert_chain_status = "invalid";
@@ -111,6 +116,7 @@
 		local srv_choice = session.srv_choice;
 		if srv_hosts[srv_choice].dane and not session.secure then
 			-- TLSA record but no TLS, not ok.
+			-- TODO Optional?
 			session:close({
 				condition = "policy-violation",
 				text = "Encrypted server-to-server communication is required but was not "
@@ -122,6 +128,7 @@
 end
 
 function module.unload()
+	-- Restore the original try_connect function
 	s2sout.try_connect = _try_connect;
 end