Don't just blindly upgrade to VALIDATING if we see a SECURE answer.

Let's go through the check_resolver() / new_resolver() code path
which will also hook up the resovler to the shared cache.
This means also one less special case for upcomming DNS64 support.

diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c
index f5a1f3e..b4ae3fd 100644 (file)
--- a/sbin/unwind/resolver.c
+++ b/sbin/unwind/resolver.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: resolver.c,v 1.131 2021/01/19 16:52:40 florian Exp $  */
+/*     $OpenBSD: resolver.c,v 1.132 2021/01/23 16:27:24 florian Exp $  */
 
 /*
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -1008,8 +1008,8 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode,
        if (result->rcode == LDNS_RCODE_SERVFAIL)
                goto servfail;
 
-       if (sec == SECURE)
-               res->state = VALIDATING;
+       if (sec == SECURE && res->state != VALIDATING && res->stop != -1)
+               check_resolver(res);
 
        if (res->state == VALIDATING && sec == BOGUS) {
                answer_header->bogus = !force_acceptbogus;