Make checkds yes the default

This seems to be the more common case.

bin/named/zoneconf.c

@@ -877,7 +877,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	const char *filename = NULL;
 	const char *kaspname = NULL;
 	const char *dupcheck;
-	dns_checkdstype_t checkdstype = dns_checkdstype_explicit;
+	dns_checkdstype_t checkdstype = dns_checkdstype_yes;
 	dns_notifytype_t notifytype = dns_notifytype_yes;
 	uint32_t count;
 	unsigned int dbargc;

bin/tests/system/checkds/ns9/named.conf.in

@@ -87,7 +87,6 @@ zone "good.yes.dspublish.ns2" {
 	file "good.yes.dspublish.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /* Same as above, but with checkds disabled. */
@@ -105,7 +104,6 @@ zone "no-ent.ns2" {
 	file "no-ent.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -129,7 +127,6 @@ zone "not-yet.yes.dspublish.ns5" {
 	file "not-yet.yes.dspublish.ns5.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -153,7 +150,6 @@ zone "bad.yes.dspublish.ns6" {
 	file "bad.yes.dspublish.ns6.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -185,7 +181,6 @@ zone "good.yes.dspublish.ns2-4" {
 	file "good.yes.dspublish.ns2-4.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 zone "good.no.dspublish.ns2-4" {
@@ -219,7 +214,6 @@ zone "incomplete.yes.dspublish.ns2-4-5" {
 	file "incomplete.yes.dspublish.ns2-4-5.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -245,7 +239,6 @@ zone "bad.yes.dspublish.ns2-4-6" {
 	file "bad.yes.dspublish.ns2-4-6.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -289,7 +282,6 @@ zone "good.yes.dsremoved.ns5" {
 	file "good.yes.dsremoved.ns5.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 zone "good.no.dsremoved.ns5" {
@@ -305,7 +297,6 @@ zone "no-ent.ns5" {
 	file "no-ent.ns5.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -329,7 +320,6 @@ zone "still-there.yes.dsremoved.ns2" {
 	file "still-there.yes.dsremoved.ns2.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
@@ -353,7 +343,6 @@ zone "bad.yes.dsremoved.ns6" {
 	file "bad.yes.dsremoved.ns6.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
@@ -385,7 +374,6 @@ zone "good.yes.dsremoved.ns5-7" {
 	file "good.yes.dsremoved.ns5-7.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 zone "good.no.dsremoved.ns5-7" {
@@ -419,7 +407,6 @@ zone "incomplete.yes.dsremoved.ns2-5-7" {
 	file "incomplete.yes.dsremoved.ns2-5-7.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
@@ -445,7 +432,6 @@ zone "bad.yes.dsremoved.ns5-6-7" {
 	file "bad.yes.dsremoved.ns5-6-7.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*

doc/arm/reference.rst

@@ -6439,9 +6439,10 @@ The following options apply to DS queries sent to :any:`parental-agents`:
 
    If set to ``yes``, DS queries are sent when a KSK rollover is in progress.
    The queries are sent to the servers listed in the parent zone's NS records.
+   This is the default.
 
    If set to ``explicit``, DS queries are sent only to servers explicitly listed
-   using :any:`parental-agents`. This is the default.
+   using :any:`parental-agents`.
 
    If set to ``no``, no DS queries are sent. Users should manually run
    :option:`rndc dnssec -checkds <rndc dnssec>` with the appropriate parameters

lib/dns/zone.c

@@ -1084,7 +1084,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) {
 		.minrefresh = DNS_ZONE_MINREFRESH,
 		.maxretry = DNS_ZONE_MAXRETRY,
 		.minretry = DNS_ZONE_MINRETRY,
-		.checkdstype = dns_checkdstype_explicit,
+		.checkdstype = dns_checkdstype_yes,
 		.notifytype = dns_notifytype_yes,
 		.zero_no_soa_ttl = true,
 		.check_names = dns_severity_ignore,