rec: Change dnssec default to `process`

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 49529c9244cd5239cdcb12e755217bf47ee2685a..b9e79acb5b439a8bb5556ba72fc0041f65336a71 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -5320,7 +5320,7 @@ int main(int argc, char **argv)
     ::arg().set("local-address","IP addresses to listen on, separated by spaces or commas. Also accepts ports.")="127.0.0.1";
     ::arg().setSwitch("non-local-bind", "Enable binding to non-local addresses by using FREEBIND / BINDANY socket options")="no";
     ::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off";
-    ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate";
+    ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate")="process";
     ::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no";
     ::arg().set("signature-inception-skew", "Allow the signature inception to be off by this number of seconds")="60";
     ::arg().set("daemon","Operate as a daemon")="no";

diff --git a/pdns/recursordist/docs/dnssec.rst b/pdns/recursordist/docs/dnssec.rst
index 4c937e37be5b1e4199c938987ace298a9c3755e9..69253a021ddb3a285c9f723455d6c1acbeaaafc9 100644 (file)
--- a/pdns/recursordist/docs/dnssec.rst
+++ b/pdns/recursordist/docs/dnssec.rst
@@ -14,13 +14,15 @@ The PowerDNS Recursor will not set the DNSSEC OK (DO) bit in the outgoing querie
 
 ``process-no-validate``
 ^^^^^^^^^^^^^^^^^^^^^^^
-The default mode.
+The default mode until PowerDNS Recursor 4.5.0.
 
 In this mode the Recursor acts as a "security aware, non-validating" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a DO-bit in the query), except for zones provided through the ``auth-zones`` setting.
 It will not do any validation in this mode, not even when requested by the client.
 
 ``process``
 ^^^^^^^^^^^
+The default mode since PowerDNS Recursor 4.5.0.
+
 When :ref:`setting-dnssec` is set to ``process`` the behaviour is similar to `process-no-validate`_.
 However, the recursor will try to validate the data if at least one of the DO or AD bits is set in the query;
 in that case, it will set the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation comes up bogus.

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 94bbfaa3c7876bcb0967ef628363f438edc0f48f..4a76db041b914aaf493de8d771abaa277b371c3c 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -415,8 +415,11 @@ See :doc:`dns64` for more flexible but slower alternatives using Lua.
 ----------
 .. versionadded:: 4.0.0
 
+.. versionchanged:: 4.5.0
+   The default changed from ``process-no-validate`` to ``process``
+
 -  One of ``off``, ``process-no-validate``, ``process``, ``log-fail``, ``validate``, String
--  Default: ``process-no-validate``
+-  Default: ``process``
 
 Set the mode for DNSSEC processing, as detailed in :doc:`dnssec`.
 

diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index 2060d5f1ca58cb7941d06e603d621db071133f37..d136de152eb84d7a1e1d1064082ce75663f88db7 100644 (file)
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -36,6 +36,7 @@ Deprecated and changed settings
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 - The :ref:`setting-minimum-ttl-override` and :ref:`setting-ecs-minimum-ttl-override` defaults have ben changed from 0 to 1.
 - The :ref:`setting-spoof-nearmiss-max` default has been changed from 20 to 1.
+- The :ref:`setting-dnssec` default has changed from ``process-no-validate`` to ``process``.
 
 Removed settings
 ^^^^^^^^^^^^^^^^