diff --git a/bin/named/server.c b/bin/named/server.c
index 9052672e2b..57a023798b 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4067,14 +4067,38 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	view->acceptexpired = cfg_obj_asboolean(obj);
 
 	obj = NULL;
-	result = named_config_get(maps, "dnssec-validation", &obj);
+	result = named_config_get(maps, "dnssec-enable", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isboolean(obj)) {
-		view->enablevalidation = cfg_obj_asboolean(obj);
-	} else {
-		/* If dnssec-validation is not boolean, it must be "auto" */
-		view->enablevalidation = true;
-		auto_root = true;
+	view->enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	/* 'optionmaps', not 'maps': don't check named_g_defaults yet */
+	(void)named_config_get(optionmaps, "dnssec-validation", &obj);
+	if (obj == NULL) {
+		/*
+		 * If dnssec-enable is yes, then we default to
+		 * VALIDATION_DEFAULT as set in config.c. Otherwise
+		 * we default to "no".
+		 */
+		if (view->enablednssec) {
+			(void)cfg_map_get(named_g_defaults,
+					  "dnssec-validation", &obj);
+			INSIST(obj != NULL);
+		} else {
+			view->enablevalidation = false;
+		}
+	}
+	if (obj != NULL) {
+		if (cfg_obj_isboolean(obj)) {
+			view->enablevalidation = cfg_obj_asboolean(obj);
+		} else {
+			/*
+			 * If dnssec-validation is set but not boolean,
+			 * then it must be "auto"
+			 */
+			view->enablevalidation = true;
+			auto_root = true;
+		}
 	}
 
 	obj = NULL;
@@ -5090,11 +5114,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 			view->prefetch_eligible = view->prefetch_trigger + 6;
 	}
 
-	obj = NULL;
-	result = named_config_get(maps, "dnssec-enable", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->enablednssec = cfg_obj_asboolean(obj);
-
 	obj = NULL;
 	result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 2ab4d6d2db..047e5c0199 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -1070,11 +1070,14 @@
 	<listitem>
 	  <para>
 	    Enable, disable, or check the current status of
-	    DNSSEC validation.
-	    Note <command>dnssec-enable</command> also needs to be
-	    set to <userinput>yes</userinput> or
-	    <userinput>auto</userinput> to be effective.
-	    It defaults to enabled.
+	    DNSSEC validation.  By default, validation is enabled.
+	    (Note that <command>dnssec-enable</command> must also be
+	    <userinput>yes</userinput> (the default value) for signatures
+	    to be returned along with validated data. If validation is
+	    enabled while <command>dnssec-enable</command> is set to
+	    <userinput>no</userinput>, the server will validate internally,
+	    but will not supply clients with the necessary records to allow
+	    validity to be confirmed.)
 	  </para>
 	</listitem>
       </varlistentry>
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c012ce88c7..02d933c7f6 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2201,43 +2201,54 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 
       </section>
 
-      <section xml:id="dnssec_config"><info><title>Configuring Servers</title></info>
-
+      <section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
 	<para>
 	  To enable <command>named</command> to respond appropriately
-	  to DNS requests from DNSSEC aware clients,
-	  <command>dnssec-enable</command> must be set to yes.
-	  This is the default setting.
+	  to DNS requests from DNSSEC-aware clients,
+	  <command>dnssec-enable</command> must be set to
+	  <userinput>yes</userinput>. This is the default setting.
 	</para>
-
 	<para>
-	  To enable <command>named</command> to validate answers from
-	  other servers, the <command>dnssec-enable</command> option
-	  must be set to <userinput>yes</userinput>, and the
+	  To enable <command>named</command> to validate answers
+	  received from other servers, the
 	  <command>dnssec-validation</command> option must be set to
 	  either <userinput>yes</userinput> or <userinput>auto</userinput>.
 	</para>
-
 	<para>
 	  When <command>dnssec-validation</command> is set to
 	  <userinput>auto</userinput>, a trust anchor for the DNS
 	  root zone will automatically be used. This trust anchor is
 	  provided as part of BIND and is kept up to date using RFC 5011
 	  key management.
-	  If <command>dnssec-validation</command> is set to
-	  <userinput>yes</userinput>, then
-	  DNSSEC validation only occurs if
-	  at least one trust anchor has been explicitly configured
-	  in <filename>named.conf</filename>,
+	</para>
+	<para>
+	  When <command>dnssec-validation</command> is set to
+	  <userinput>yes</userinput>, DNSSEC validation will only occur
+	  if at least one trust anchor has been explicitly configured
+	  in <filename>named.conf</filename>
 	  using a <command>trusted-keys</command> or
 	  <command>managed-keys</command> statement.
-	  If <command>dnssec-validation</command> is set to
-	  <userinput>no</userinput>, then DNSSEC validation will
-	  not occur.
+	</para>
+	<para>
+	  When <command>dnssec-validation</command> is set to
+	  <userinput>no</userinput>, DNSSEC validation will not occur.
+	</para>
+	<para>
 	  The default is <userinput>auto</userinput> unless BIND is
 	  built with <command>configure --disable-auto-validation</command>,
 	  in which case the default is <userinput>yes</userinput>.
 	</para>
+	<para>
+	  If <command>dnssec-enable</command> is set to
+	  <userinput>no</userinput>, then the default for
+	  <command>dnssec-validation</command> is also changed to
+	  <userinput>no</userinput>. If
+	  <command>dnssec-validation</command> is set to
+	  <userinput>yes</userinput>, the server will
+	  perform DNSSEC validation internally, but will not return
+	  signatures when queried - but it will not be turned on
+	  automatically.
+	</para>
 
 	<para>
 	  <command>trusted-keys</command> are copies of DNSKEY RRs
@@ -6600,34 +6611,54 @@ options {
 	      <term><command>dnssec-validation</command></term>
 	      <listitem>
 		<para>
-		  Enable DNSSEC validation in <command>named</command>.
-		  Note <command>dnssec-enable</command> also needs to be
-		  set to <userinput>yes</userinput> to be effective.
+		  This enables DNSSEC validation in <command>named</command>.
+		  Note that <command>dnssec-enable</command> also needs to
+		  be set to <userinput>yes</userinput> for signatures to be
+		  returned to the client along with validated answers.
+		</para>
+	        <para>
+		  If set to <userinput>auto</userinput>,
+		  DNSSEC validation is enabled, and a default trust anchor
+		  for the DNS root zone is used.
+		</para>
+		<para>
+		  If set to <userinput>yes</userinput>, DNSSEC validation is
+		  enabled, but a trust anchor must be manually configured
+		  using a <command>trusted-keys</command>
+		  or <command>managed-keys</command> statement; if there
+		  is no configured trust anchor, validation will not take
+		  place.
+		</para>
+		<para>
 		  If set to <userinput>no</userinput>, DNSSEC validation
 		  is disabled.
 		</para>
-	        <para>
-		  If set to <userinput>auto</userinput>, DNSSEC validation
-		  is enabled, and a default trust anchor for the DNS root
-		  zone is used.  If set to <userinput>yes</userinput>,
-		  DNSSEC validation is enabled, but a trust anchor must be
-		  manually configured using a <command>trusted-keys</command>
-		  or <command>managed-keys</command> statement.  The default
-		  is <userinput>yes</userinput>.
+		<para>
+		  The default is <userinput>auto</userinput>, unless
+		  BIND is built with
+		  <command>configure --disable-auto-validation</command>,
+		  in which case the default is <userinput>yes</userinput>.
+		  If <command>dnssec-enable</command> is set to
+		  <userinput>no</userinput>, then the default for
+		  <command>dnssec-validation</command> is also
+		  <userinput>no</userinput>. Validation can still be turned on
+		  if desired - this results in a server that performs DNSSEC
+		  validation but does not return signatures when queried -
+		  but it will not be turned on automatically.
 		</para>
 		<para>
 		  The default root trust anchor is stored in the file
 		  <filename>bind.keys</filename>.
 		  <command>named</command> will load that key at
 		  startup if <command>dnssec-validation</command> is
-		  set to <constant>auto</constant>.  A copy of the file is
+		  set to <userinput>auto</userinput>.  A copy of the file is
 		  installed along with BIND 9, and is current as of the
 		  release date.  If the root key expires, a new copy of
 		  <filename>bind.keys</filename> can be downloaded
 		  from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</link>.
 		</para>
 		<para>
-		  To prevent problems if <filename>bind.keys</filename> is
+		  (To prevent problems if <filename>bind.keys</filename> is
 		  not found, the current trust anchor is also compiled in
 		  to <command>named</command>.  Relying on this is not
 		  recommended, however, as it requires <command>named</command>
@@ -6635,8 +6666,8 @@ options {
 		</para>
 		<note>
 		  <para>
-		    <command>named</command> <emphasis>only</emphasis>
-		    loads the root key from <filename>bind.keys</filename>.
+		    <command>named</command> loads <emphasis>only</emphasis>
+		    the root key from <filename>bind.keys</filename>.
 		    The file cannot be used to store keys for other zones.
 		    The root key in <filename>bind.keys</filename> is ignored
 		    if <command>dnssec-validation auto</command> is not in