r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
Changed paths:
   M /head/crypto/openssh/readconf.c
   M /head/crypto/openssh/ssh_config
   M /head/crypto/openssh/ssh_config.5

Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS.  With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records.  If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.

--- readconf.c	2013-10-03 08:15:03.496131082 -0500
+++ readconf.c	2013-10-03 08:15:22.716134315 -0500
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
 		options->rekey_limit = 0;
 	if (options->rekey_interval == -1)
 		options->rekey_interval = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
--- ssh_config	2013-10-03 08:15:03.537131330 -0500
+++ ssh_config	2013-10-03 08:15:22.755131175 -0500
@@ -44,5 +44,6 @@
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   VisualHostKey no
+#   VerifyHostKeyDNS yes
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
--- ssh_config.5	2013-10-03 08:15:03.621130815 -0500
+++ ssh_config.5	2013-10-03 08:15:22.851132133 -0500
@@ -1246,7 +1246,10 @@ The argument must be
 or
 .Dq ask .
 The default is
-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
 Note that this option applies to protocol version 2 only.
 .Pp
 See also VERIFYING HOST KEYS in
