r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
Changed paths:
   M /head/crypto/openssh/readconf.c
   M /head/crypto/openssh/ssh_config
   M /head/crypto/openssh/ssh_config.5

Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS.  With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records.  If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.

--- readconf.c	2013-10-03 08:15:03.496131082 -0500
+++ readconf.c	2013-10-03 08:15:22.716134315 -0500
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
 		options->rekey_limit = 0;
 	if (options->rekey_interval == -1)
 		options->rekey_interval = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
--- ssh_config	2013-10-03 08:15:03.537131330 -0500
+++ ssh_config	2013-10-03 08:15:22.755131175 -0500
@@ -44,5 +44,6 @@
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   VisualHostKey no
+#   VerifyHostKeyDNS yes
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
--- ssh_config.5.orig	2016-12-18 20:59:41.000000000 -0800
+++ ssh_config.5	2017-01-11 11:24:25.573200000 -0800
@@ -1635,7 +1635,10 @@ need to confirm new host keys according 
 .Cm StrictHostKeyChecking
 option.
 The default is
-.Cm no .
+.Cm yes
+if compiled with LDNS and
+.Cm no
+otherwise.
 .Pp
 See also
 .Sx VERIFYING HOST KEYS
