Comment 6 for bug 1500683

It is defaulted to "auto" because more and more of the internet _IS_ enabling DNSSEC: all delegations from the root are signed, and most registries will take care of getting the DS RRsets into the parent zone.

The only way to actually fix some of the DNS cache poisoning attacks is to enable DNSSEC. That the upstream forwarder doesn't support dnssec is a configuration bug in the upstream forwarder. I'm disinclined to make the default be less secure, in order to "support" broken upstream forwarders. But I'll stop short of marking it Won't Fix, at least for now.