- Change default of harden-algo-downgrade to off. This is lenient

  for algorithm rollover.

git-svn-id: file:///svn/unbound/trunk@3478 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 119e40d100845d9ad9bd5fa3c61efbe9b6165930..fef399d8675f0cc02edf60ec7d185326c4b17c95 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,8 @@
        - Fix deadlock for local data add and zone add when unbound-control
          list_local_data printout is interrupted.
        - iana portlist update.
+       - Change default of harden-algo-downgrade to off.  This is lenient
+         for algorithm rollover.
 
 13 August 2015: Wouter
        - 5011 implementation does not insist on all algorithms, when

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 90491119eac1c3d9d3134e6d3d34a547d1ea6cde..e34fc3191798343fd7232f23aeb85348ebde7384 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -294,7 +294,7 @@ server:
        # Harden against algorithm downgrade when multiple algorithms are
        # advertised in the DS record.  If no, allows the weakest algorithm
        # to validate the zone.
-       # harden-algo-downgrade: yes
+       # harden-algo-downgrade: no
 
        # Use 0x20-encoded random bits in the query to foil spoof attempts.
        # This feature is an experimental implementation of draft dns-0x20.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index cfbedd7d068d02016748904eecb11c87549daaf8..eec11827451d5fba06045908bf587d328ba2e563 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -567,7 +567,7 @@ to increase the max depth that is checked to.
 .B harden\-algo\-downgrade: \fI<yes or no>
 Harden against algorithm downgrade when multiple algorithms are
 advertised in the DS record.  If no, allows the weakest algorithm to
-validate the zone.  Default is yes.  Zone signers must produce zones
+validate the zone.  Default is no.  Zone signers must produce zones
 that allow this feature to work, but sometimes they do not, and turning
 this option off avoids that validation failure.
 .TP

diff --git a/util/config_file.c b/util/config_file.c
index 3ef545a7b265ac1e49671b848d985a8c2255092a..211fffba4b885a447534b5dc6c57deff4ec791d4 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -174,7 +174,7 @@ config_create(void)
        cfg->harden_dnssec_stripped = 1;
        cfg->harden_below_nxdomain = 0;
        cfg->harden_referral_path = 0;
-       cfg->harden_algo_downgrade = 1;
+       cfg->harden_algo_downgrade = 0;
        cfg->use_caps_bits_for_id = 0;
        cfg->caps_whitelist = NULL;
        cfg->private_address = NULL;