It is defaulted to "auto" because more and more of the internet _IS_ enabling DNSSEC: all delegations from the root are signed, and most registries will take care of getting the DS RRsets into the parent zone.
The only way to actually fix some of the DNS cache poisoning attacks is to enable DNSSEC. That the upstream forwarder doesn't support dnssec is a configuration bug in the upstream forwarder. I'm disinclined to make the default be less secure, in order to "support" broken upstream forwarders. But I'll stop short of marking it Won't Fix, at least for now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1500683 Title: By default DNSSEC is enabled with automatic keys To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1500683/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs