Switching DNSSEC Validation default to "auto" from "yes"


@each has been asking on Twitter whether we should make DNSSEC validation the default configuration.

We would like to hear more opinions about whether this will be too disruptive, and if there are other suggestions for how we can make DNSSEC easier to implement.


Link to the twitter discussion: https://twitter.com/nuthaven/status/991054953077616641

The polling seems pretty strongly in favor of turning DNSSEC validation on by default.


Ok - but if we are doing this to make it easier to deploy DNSSEC, should we ask what else would make a big difference?


Just moving the option to default configurations or you mean auto-signing/key generation is also automated?


This is about turning on validation in resolvers, not signing of zones.

The current plan is to switch the default setting of ‘dnssec-validation’ from ‘yes’ to ‘auto’. There will be a configure option that puts the default back to ‘yes’. The difference between the two is, with ‘yes’ your resolver will validate only if you explicitly configure a trust anchor, but with ‘auto’ it will use the built-in trust anchor for the root zone.