- Change default of harden-algo-downgrade to off. This is lenient

for algorithm rollover.


git-svn-id: file:///svn/unbound/trunk@3478 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -2,6 +2,8 @@
 	- Fix deadlock for local data add and zone add when unbound-control
 	  list_local_data printout is interrupted.
 	- iana portlist update.
+	- Change default of harden-algo-downgrade to off.  This is lenient
+	  for algorithm rollover.
 
 13 August 2015: Wouter
 	- 5011 implementation does not insist on all algorithms, when

doc/example.conf.in

@@ -294,7 +294,7 @@ server:
 	# Harden against algorithm downgrade when multiple algorithms are
 	# advertised in the DS record.  If no, allows the weakest algorithm
 	# to validate the zone.
-	# harden-algo-downgrade: yes
+	# harden-algo-downgrade: no
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.

doc/unbound.conf.5.in

@@ -567,7 +567,7 @@ to increase the max depth that is checked to.
 .B harden\-algo\-downgrade: \fI<yes or no>
 Harden against algorithm downgrade when multiple algorithms are
 advertised in the DS record.  If no, allows the weakest algorithm to
-validate the zone.  Default is yes.  Zone signers must produce zones
+validate the zone.  Default is no.  Zone signers must produce zones
 that allow this feature to work, but sometimes they do not, and turning
 this option off avoids that validation failure.
 .TP

util/config_file.c

@@ -174,7 +174,7 @@ config_create(void)
 	cfg->harden_dnssec_stripped = 1;
 	cfg->harden_below_nxdomain = 0;
 	cfg->harden_referral_path = 0;
-	cfg->harden_algo_downgrade = 1;
+	cfg->harden_algo_downgrade = 0;
 	cfg->use_caps_bits_for_id = 0;
 	cfg->caps_whitelist = NULL;
 	cfg->private_address = NULL;