ok deraadt@ kn@

Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP.  ok sthen@ florian@

OK florian@ sthen@

enable dnssec validation, it's really useful for debug

default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@

prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

While here, qname minimisation is an RFC since some time.
tweak & OK sthen

some time ago by phessler and IIRC also mikeb), and for qname-minimisation

keys/certificates for auth. ok florian@

iterator" by default.  Pointed out by Patrik Lundin.

and use it as the default location for the DNSSEC root key. Update default
config for this location.
With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:
#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.