diff --git a/synapse/federation/transport/client.py b/synapse/federation/transport/client.py
index 86af251d43..29273069ba 100644
--- a/synapse/federation/transport/client.py
+++ b/synapse/federation/transport/client.py
@@ -182,7 +182,7 @@ class TransportLayerClient(object):
             long_retries=True,
             backoff_on_404=True,  # If we get a 404 the other side has gone
             try_trailing_slash_on_400=True,
-            retry_on_dns_fail=self.backoff_settings.dns_resolution,
+            retry_on_dns_fail=not self.backoff_settings.dns_resolution,
         )
 
         defer.returnValue(response)
diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py
index 53f45824eb..1ea955fb42 100644
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@@ -20,6 +20,7 @@ import sys
 from io import BytesIO
 
 from six import PY3, raise_from, string_types
+from service_identity.exceptions import VerificationError
 from six.moves import urllib
 
 import attr
@@ -432,7 +433,7 @@ class MatrixFederationHttpClient(object):
                         for i in e.reasons:
                             # If it's an OpenSSL error, they probably don't have
                             # a valid certificate or something else very bad went on.
-                            if i.check(SSL.Error):
+                            if i.check(SSL.Error) or i.check(VerificationError):
                                 if self.backoff_settings.invalid_tls:
                                     raise_from(RequestSendFailed(e, can_retry=False), e)