Don't just blindly upgrade to VALIDATING if we see a SECURE answer. This can happen if things improve after we check a strategy, for example ntpd corrected the time.
Let's go through the check_resolver() / new_resolver() code path which will also hook up the resovler to the shared cache. diff --git resolver.c resolver.c index f5a1f3e1f59..d42d19c1087 100644 --- resolver.c +++ resolver.c @@ -1008,8 +1008,8 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode, if (result->rcode == LDNS_RCODE_SERVFAIL) goto servfail; - if (sec == SECURE) - res->state = VALIDATING; + if (sec == SECURE && res->state != VALIDATING && res->stop != -1) + check_resolver(res); if (res->state == VALIDATING && sec == BOGUS) { answer_header->bogus = !force_acceptbogus; -- I'm not entirely sure you are real.