ssh: default VerifyHostKeyDNS to no, following upstream

Revert to upstream's default.  Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.

This reverts commit 83c6a5242c.

Reported by:	David Leadbeater, G-Research
Reviewed by:	gordon
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D38648

crypto/openssh/FREEBSD-upgrade

@@ -122,7 +122,6 @@
    We've modified some configuration defaults in ssh:
 
       - CheckHostIP defaults to "no".
-      - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
 
 3) Canonic host names
 

crypto/openssh/readconf.c

@@ -2592,14 +2592,8 @@ fill_default_options(Options * options)
 		options->rekey_limit = 0;
 	if (options->rekey_interval == -1)
 		options->rekey_interval = 0;
-#if HAVE_LDNS
-	if (options->verify_host_key_dns == -1)
-		/* automatically trust a verified SSHFP record */
-		options->verify_host_key_dns = 1;
-#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
-#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)

crypto/openssh/ssh_config

@@ -44,4 +44,3 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
-#   VerifyHostKeyDNS yes

crypto/openssh/ssh_config.5

@@ -1991,10 +1991,7 @@ need to confirm new host keys according to the
 .Cm StrictHostKeyChecking
 option.
 The default is
-.Cm yes
-if compiled with LDNS and
-.Cm no
-otherwise.
+.Cm no .
 .Pp
 See also
 .Sx VERIFYING HOST KEYS