diff --git a/bin/named/config.c b/bin/named/config.c
index 0a54bb2ec7..f57f0fe2ed 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -222,7 +222,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	check-wildcard yes;\n\
 	dialup no;\n\
-	dnssec-dnskey-kskonly no;\n\
+	dnssec-dnskey-kskonly yes;\n\
 	dnssec-loadkeys-interval 60;\n\
 	dnssec-secure-to-insecure no;\n\
 	dnssec-update-mode maintain;\n\
diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in
index 0c3a4bf6b8..93b22a116a 100644
--- a/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@@ -40,6 +40,7 @@ zone "." {
 	allow-query { any; };
 	allow-update { any; };
 	auto-dnssec maintain;
+	dnssec-dnskey-kskonly no;
 };
 
 include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 7c8f74f19a..7751cc2e42 100644
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -253,6 +253,7 @@ zone "sync.example" {
 	type primary;
 	file "sync.example.db";
 	allow-update { any; };
+	dnssec-dnskey-kskonly no;
 	auto-dnssec maintain;
 };
 
diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in
index 3928ec03ad..ebfd69d69a 100644
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -117,6 +117,7 @@ zone "cds-x.secure" {
 
 zone "cds-update.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cds-update.secure.db.signed";
 	allow-update { any; };
 };
@@ -130,6 +131,7 @@ zone "cds-kskonly.secure" {
 
 zone "cds-auto.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cds-auto.secure.db.signed";
 	auto-dnssec maintain;
 	allow-update { any; };
@@ -147,6 +149,7 @@ zone "cdnskey-x.secure" {
 
 zone "cdnskey-update.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cdnskey-update.secure.db.signed";
 	allow-update { any; };
 };
@@ -160,6 +163,7 @@ zone "cdnskey-kskonly.secure" {
 
 zone "cdnskey-auto.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cdnskey-auto.secure.db.signed";
 	auto-dnssec maintain;
 	allow-update { any; };
diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
index 233db0cc91..7262359b32 100644
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -284,6 +284,7 @@ zone "publish-inactive.example" {
 	type primary;
 	file "publish-inactive.example.db";
 	auto-dnssec maintain;
+	dnssec-dnskey-kskonly no;
 	update-policy local;
 };
 
diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in
index 8ccfaf7d2f..433e9fae16 100644
--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@@ -108,6 +108,7 @@ zone "externalkey" {
 	type primary;
 	inline-signing yes;
 	auto-dnssec maintain;
+	dnssec-dnskey-kskonly no;
 	allow-update { any; };
 	file "externalkey.db";
 };
diff --git a/bin/tests/system/views/ns2/named1.conf.in b/bin/tests/system/views/ns2/named1.conf.in
index 64ac6fa8d9..b3203579b1 100644
--- a/bin/tests/system/views/ns2/named1.conf.in
+++ b/bin/tests/system/views/ns2/named1.conf.in
@@ -48,4 +48,5 @@ zone "inline" {
 	key-directory "external";
 	auto-dnssec maintain;
 	inline-signing yes;
+	dnssec-dnskey-kskonly no;
 };
diff --git a/bin/tests/system/views/ns2/named2.conf.in b/bin/tests/system/views/ns2/named2.conf.in
index 66713fcf8a..f4e96b6663 100644
--- a/bin/tests/system/views/ns2/named2.conf.in
+++ b/bin/tests/system/views/ns2/named2.conf.in
@@ -62,6 +62,7 @@ view "internal" {
 		key-directory "internal";
 		auto-dnssec maintain;
 		inline-signing yes;
+		dnssec-dnskey-kskonly no;
 	};
 };
 
@@ -94,5 +95,6 @@ view "external" {
 		key-directory "external";
 		auto-dnssec maintain;
 		inline-signing yes;
+		dnssec-dnskey-kskonly no;
 	};
 };
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 6db12cc859..b6b384d292 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2218,7 +2218,7 @@ Boolean Options
    the remainder of the zone, but not the DNSKEY RRset. This is similar
    to the ``dnssec-signzone -x`` command-line option.
 
-   The default is ``no``. If ``update-check-ksk`` is set to ``no``, this
+   The default is ``yes``. If ``update-check-ksk`` is set to ``no``, this
    option is ignored.
 
 ``try-tcp-refresh``