Do not doubt a secure (i.e. validated) NXDOMAIN response when we just

switched networks. We validated it, we can't do better than that!

While here reorder the long list of conditions to make it easier to
understand when we doubt a response because we might be behind a
captive portal. First list all conditions when we do not doubt the
response and then the two conditions when we do doubt the response.

OK benno

1 files changed, 4 insertions, 4 deletions

diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c
index 705366c7a30..562ff7722e0 100644
--- a/sbin/unwind/resolver.c
+++ b/sbin/unwind/resolver.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: resolver.c,v 1.145 2021/07/25 08:34:43 florian Exp $	*/
+/*	$OpenBSD: resolver.c,v 1.146 2021/07/25 08:36:06 florian Exp $	*/
 
 /*
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -988,9 +988,9 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode,
 		force_acceptbogus = 0;
 
 	timespecsub(&tp, &last_network_change, &elapsed);
-	if ((result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS) &&
-	    !force_acceptbogus && res->type != UW_RES_ASR && elapsed.tv_sec <
-	    DOUBT_NXDOMAIN_SEC) {
+	if (sec != SECURE && elapsed.tv_sec < DOUBT_NXDOMAIN_SEC &&
+	    !force_acceptbogus && res->type != UW_RES_ASR &&
+	    (result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS)) {
 		/*
 		 * Doubt NXDOMAIN or BOGUS if we just switched networks, we
 		 * might be behind a captive portal.