Don't just blindly upgrade to VALIDATING if we see a SECURE answer.
This can happen if things improve after we check a strategy, for
example ntpd corrected the time.
Let's go through the check_resolver() / new_resolver() code path
which will also hook up the resovler to the shared cache.
diff --git resolver.c resolver.c
index f5a1f3e1f59..d42d19c1087 100644
--- resolver.c
+++ resolver.c
@@ -1008,8 +1008,8 @@ resolve_done(struct uw_resolver *res, void *arg, int
rcode,
if (result->rcode == LDNS_RCODE_SERVFAIL)
goto servfail;
- if (sec == SECURE)
- res->state = VALIDATING;
+ if (sec == SECURE && res->state != VALIDATING && res->stop != -1)
+ check_resolver(res);
if (res->state == VALIDATING && sec == BOGUS) {
answer_header->bogus = !force_acceptbogus;
--
I'm not entirely sure you are real.
