Index: readconf.c
===================================================================
--- readconf.c
+++ readconf.c
@@ -2175,7 +2175,7 @@
 	if (options->batch_mode == -1)
 		options->batch_mode = 0;
 	if (options->check_host_ip == -1)
-		options->check_host_ip = 1;
+		options->check_host_ip = 0;
 	if (options->strict_host_key_checking == -1)
 		options->strict_host_key_checking = SSH_STRICT_HOSTKEY_ASK;
 	if (options->compression == -1)
@@ -2239,8 +2239,14 @@
 		options->rekey_limit = 0;
 	if (options->rekey_interval == -1)
 		options->rekey_interval = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
Index: ssh_config
===================================================================
--- ssh_config
+++ ssh_config
@@ -25,7 +25,7 @@
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 #   BatchMode no
-#   CheckHostIP yes
+#   CheckHostIP no
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
@@ -44,4 +44,5 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+#   VerifyHostKeyDNS yes
 #   VersionAddendum FreeBSD-20200214
Index: ssh_config.5
===================================================================
--- ssh_config.5
+++ ssh_config.5
@@ -420,8 +420,7 @@
 .Cm no .
 .It Cm CheckHostIP
 If set to
-.Cm yes
-(the default),
+.Cm yes ,
 .Xr ssh 1
 will additionally check the host IP address in the
 .Pa known_hosts
@@ -434,6 +433,8 @@
 If the option is set to
 .Cm no ,
 the check will not be executed.
+The default is
+.Cm no .
 .It Cm Ciphers
 Specifies the ciphers allowed and their order of preference.
 Multiple ciphers must be comma-separated.
@@ -1772,7 +1773,10 @@
 .Cm StrictHostKeyChecking
 option.
 The default is
-.Cm no .
+.Cm yes
+if compiled with LDNS and
+.Cm no
+otherwise.
 .Pp
 See also
 .Sx VERIFYING HOST KEYS
Index: sshd_config
===================================================================
--- sshd_config
+++ sshd_config
@@ -10,6 +10,9 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -84,7 +87,7 @@
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+#X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes