From: florian Date: Sat, 23 Jan 2021 16:27:24 +0000 (+0000) Subject: Don't just blindly upgrade to VALIDATING if we see a SECURE answer. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=5df3f0b055646f69a626855be703bc85f08c8c22;p=openbsd Don't just blindly upgrade to VALIDATING if we see a SECURE answer. Let's go through the check_resolver() / new_resolver() code path which will also hook up the resovler to the shared cache. This means also one less special case for upcomming DNS64 support. --- diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c index f5a1f3e1f59..b4ae3fd0abf 100644 --- a/sbin/unwind/resolver.c +++ b/sbin/unwind/resolver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: resolver.c,v 1.131 2021/01/19 16:52:40 florian Exp $ */ +/* $OpenBSD: resolver.c,v 1.132 2021/01/23 16:27:24 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -1008,8 +1008,8 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode, if (result->rcode == LDNS_RCODE_SERVFAIL) goto servfail; - if (sec == SECURE) - res->state = VALIDATING; + if (sec == SECURE && res->state != VALIDATING && res->stop != -1) + check_resolver(res); if (res->state == VALIDATING && sec == BOGUS) { answer_header->bogus = !force_acceptbogus;