Comment 9 for bug 1500683

This continues to cause us pain, though; I just spent an hour looking through a DNS issue to remember that this was the root cause. We should either change the default or make it so we can detect when the forwarder won't handle DNSSEC and correctly disable it -- a failure in the field due to this is unacceptable.