Set "dnssec-validation auto" by default

- the default setting for dnssec-validation is now "auto", which
  activates DNSSEC validation using the IANA root key.  The old behavior
  can be restored by explicitly setting "dnssec-validation yes", which
  "yes", which activates DNSSEC validation only if keys are explicitly
  configured in named.conf.
- the ARM has been updated to describe the new behavior

bin/named/Makefile.in

@@ -130,6 +130,7 @@ config.@O@: config.c
 		-DDYNDB_LIBDIR=\"@libdir@/bind\" \
 		-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
+		-DVALIDATION_DEFAULT=\"@VALIDATION_DEFAULT@\" \
 		-c ${srcdir}/config.c
 
 server.@O@: server.c

bin/named/config.c

@@ -146,7 +146,7 @@ options {\n\
 	clients-per-query 10;\n\
 	dnssec-accept-expired no;\n\
 	dnssec-enable yes;\n\
-	dnssec-validation yes; \n"
+	dnssec-validation " VALIDATION_DEFAULT "; \n"
 #ifdef HAVE_DNSTAP
 "	dnstap-identity hostname;\n"
 #endif