From 92577eaf7ec359feb5dc66d269cbecfb03419680 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 28 Mar 2023 16:54:47 +0200
Subject: [PATCH] Make checkds yes the default

This seems to be the more common case.
---
 bin/named/zoneconf.c                       |  2 +-
 bin/tests/system/checkds/ns9/named.conf.in | 14 --------------
 doc/arm/reference.rst                      |  3 ++-
 lib/dns/zone.c                             |  2 +-
 4 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 83850a5675..21dbe6d8a9 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -877,7 +877,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	const char *filename = NULL;
 	const char *kaspname = NULL;
 	const char *dupcheck;
-	dns_checkdstype_t checkdstype = dns_checkdstype_explicit;
+	dns_checkdstype_t checkdstype = dns_checkdstype_yes;
 	dns_notifytype_t notifytype = dns_notifytype_yes;
 	uint32_t count;
 	unsigned int dbargc;
diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in
index d983f92b5d..2d4dcb28f8 100644
--- a/bin/tests/system/checkds/ns9/named.conf.in
+++ b/bin/tests/system/checkds/ns9/named.conf.in
@@ -87,7 +87,6 @@ zone "good.yes.dspublish.ns2" {
 	file "good.yes.dspublish.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /* Same as above, but with checkds disabled. */
@@ -105,7 +104,6 @@ zone "no-ent.ns2" {
 	file "no-ent.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -129,7 +127,6 @@ zone "not-yet.yes.dspublish.ns5" {
 	file "not-yet.yes.dspublish.ns5.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -153,7 +150,6 @@ zone "bad.yes.dspublish.ns6" {
 	file "bad.yes.dspublish.ns6.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -185,7 +181,6 @@ zone "good.yes.dspublish.ns2-4" {
 	file "good.yes.dspublish.ns2-4.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 zone "good.no.dspublish.ns2-4" {
@@ -219,7 +214,6 @@ zone "incomplete.yes.dspublish.ns2-4-5" {
 	file "incomplete.yes.dspublish.ns2-4-5.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -245,7 +239,6 @@ zone "bad.yes.dspublish.ns2-4-6" {
 	file "bad.yes.dspublish.ns2-4-6.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -289,7 +282,6 @@ zone "good.yes.dsremoved.ns5" {
 	file "good.yes.dsremoved.ns5.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 zone "good.no.dsremoved.ns5" {
@@ -305,7 +297,6 @@ zone "no-ent.ns5" {
 	file "no-ent.ns5.db";
 	inline-signing yes;
 	dnssec-policy "default";
-	checkds yes;
 };
 
 /*
@@ -329,7 +320,6 @@ zone "still-there.yes.dsremoved.ns2" {
 	file "still-there.yes.dsremoved.ns2.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
@@ -353,7 +343,6 @@ zone "bad.yes.dsremoved.ns6" {
 	file "bad.yes.dsremoved.ns6.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
@@ -385,7 +374,6 @@ zone "good.yes.dsremoved.ns5-7" {
 	file "good.yes.dsremoved.ns5-7.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 zone "good.no.dsremoved.ns5-7" {
@@ -419,7 +407,6 @@ zone "incomplete.yes.dsremoved.ns2-5-7" {
 	file "incomplete.yes.dsremoved.ns2-5-7.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
@@ -445,7 +432,6 @@ zone "bad.yes.dsremoved.ns5-6-7" {
 	file "bad.yes.dsremoved.ns5-6-7.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
-	checkds yes;
 };
 
 /*
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 22df16551b..8225c57089 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6439,9 +6439,10 @@ The following options apply to DS queries sent to :any:`parental-agents`:
 
    If set to ``yes``, DS queries are sent when a KSK rollover is in progress.
    The queries are sent to the servers listed in the parent zone's NS records.
+   This is the default.
 
    If set to ``explicit``, DS queries are sent only to servers explicitly listed
-   using :any:`parental-agents`. This is the default.
+   using :any:`parental-agents`.
 
    If set to ``no``, no DS queries are sent. Users should manually run
    :option:`rndc dnssec -checkds <rndc dnssec>` with the appropriate parameters
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 3beae55f8f..acd2044834 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1084,7 +1084,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) {
 		.minrefresh = DNS_ZONE_MINREFRESH,
 		.maxretry = DNS_ZONE_MAXRETRY,
 		.minretry = DNS_ZONE_MINRETRY,
-		.checkdstype = dns_checkdstype_explicit,
+		.checkdstype = dns_checkdstype_yes,
 		.notifytype = dns_notifytype_yes,
 		.zero_no_soa_ttl = true,
 		.check_names = dns_severity_ignore,