diff --git a/doc/doap.xml b/doc/doap.xml
index 79ef9d684..c5501be2c 100644
--- a/doc/doap.xml
+++ b/doc/doap.xml
@@ -67,6 +67,7 @@
     <implements rdf:resource="https://datatracker.ietf.org/doc/draft-cridland-xmpp-session/">
       <!-- since=0.6.0 note=Added in hg:0bbbc9042361 -->
     </implements>
+    <implements rdf:resource="https://datatracker.ietf.org/doc/draft-ietf-dance-client-auth"/>
     <implements rdf:resource="http://www.unicode.org/reports/tr39/"/>
     <implements>
       <xmpp:SupportedXep>
diff --git a/plugins/mod_s2s_auth_dane_in.lua b/plugins/mod_s2s_auth_dane_in.lua
index 26df0de9d..9167e8a91 100644
--- a/plugins/mod_s2s_auth_dane_in.lua
+++ b/plugins/mod_s2s_auth_dane_in.lua
@@ -24,6 +24,11 @@ local function ensure_secure(r)
 	return r;
 end
 
+local function ensure_nonempty(r)
+	assert(r[1], "empty");
+	return r;
+end
+
 local function flatten(a)
 	local seen = {};
 	local ret = {};
@@ -90,10 +95,12 @@ module:hook("s2s-check-certificate", function(event)
 		return promise.all(tlsas):next(flatten);
 	end
 
-	local ret = async.wait_for(promise.all({
-		resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
-		resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
-	}):next(flatten));
+	local ret = async.wait_for(resolver:lookup_promise("_xmpp-server." .. dns_domain, "TLSA"):next(ensure_secure):next(ensure_nonempty):catch(function()
+		return promise.all({
+			resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
+			resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
+		}):next(flatten);
+	end));
 
 	if not ret then
 		return