Florian Obser([email protected]) on 2021.07.23 20:28:33 +0200:
> Do not doubt a secure (i.e. validated) NXDOMAIN response when we just
> switched networks. We just validated it!
>
> While here reorder the long list of conditions to make it easier to
> understand when we doubt a response because we might be behind a
> captive portal. First list all conditions when we do not doubt the
> response and then the two conditions when we do doubt the response.
>
> OK?
ok
>
> diff --git resolver.c resolver.c
> index 06f09604f6e..7e18fc3449a 100644
> --- resolver.c
> +++ resolver.c
> @@ -988,9 +988,9 @@ resolve_done(struct uw_resolver *res, void *arg, int
> rcode,
> force_acceptbogus = 0;
>
> timespecsub(&tp, &last_network_change, &elapsed);
> - if ((result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS) &&
> - !force_acceptbogus && res->type != UW_RES_ASR && elapsed.tv_sec <
> - DOUBT_NXDOMAIN_SEC) {
> + if (sec != SECURE && elapsed.tv_sec < DOUBT_NXDOMAIN_SEC &&
> + !force_acceptbogus && res->type != UW_RES_ASR &&
> + (result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS)) {
> /*
> * Doubt NXDOMAIN or BOGUS if we just switched networks, we
> * might be behind a captive portal.
>
> --
> I'm not entirely sure you are real.
>
