From 3cf6b014d3a9a13649b4019f822d6706be0c8083 Mon Sep 17 00:00:00 2001
From: job <>
Date: Thu, 7 Nov 2019 12:49:45 +0000
Subject: [PATCH] Enable DNSSEC validation in unbound by default

OK deraadt@ otto@
---
 src/etc/unbound.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/etc/unbound.conf b/src/etc/unbound.conf
index f226d77f..b46847e3 100644
--- a/src/etc/unbound.conf
+++ b/src/etc/unbound.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: unbound.conf,v 1.17 2019/08/25 15:50:21 ajacoutot Exp $
+# $OpenBSD: unbound.conf,v 1.18 2019/11/07 12:49:45 job Exp $
 
 server:
 	interface: 127.0.0.1
@@ -19,9 +19,9 @@ server:
 	hide-identity: yes
 	hide-version: yes
 
-	# Uncomment to enable DNSSEC validation.
+	# Perform DNSSEC validation. Comment out the below option to disable.
 	#
-	#auto-trust-anchor-file: "/var/unbound/db/root.key"
+	auto-trust-anchor-file: "/var/unbound/db/root.key"
 	#val-log-level: 2
 
 	# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains