diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index ec0d5a352c..e4deda7ee6 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -306,8 +306,10 @@
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
+            would take precedence.  If this value is not set and there
+            is no existing DNSKEY RRset, the TTL will default to the
+            SOA TTL. Setting the default TTL to <literal>0</literal>
+            or <literal>none</literal> is the same as leaving it unset.
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index 33a9fd5bd3..79a4756b99 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -126,8 +126,10 @@
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
+            would take precedence.  If this value is not set and there
+            is no existing DNSKEY RRset, the TTL will default to the
+            SOA TTL. Setting the default TTL to <literal>0</literal>
+            or <literal>none</literal> removes it from the key.
           </para>
         </listitem>
       </varlistentry>
diff --git a/doc/arm/dnssec.xml b/doc/arm/dnssec.xml
index 7fa9aa75b3..2dc1932dc7 100644
--- a/doc/arm/dnssec.xml
+++ b/doc/arm/dnssec.xml
@@ -15,8 +15,6 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec.xml,v 1.7 2011/10/13 23:47:10 tbox Exp $ -->
-
 <sect1 id="dnssec.dynamic.zones">
   <title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
   <para>As of BIND 9.7.0 it is possible to change a dynamic zone
@@ -127,6 +125,13 @@
   key changes, however.)
   </para>
   <para>
+  When new keys are added to a zone, the TTL is set to match that
+  of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
+  then the TTL will be set to the TTL specified when the key was
+  created (using the <command>dnssec-keygen -L</command> option), if
+  any, or to the SOA TTL.
+  </para>
+  <para>
   If you wish the zone to be signed using NSEC3 instead of NSEC,
   submit an NSEC3PARAM record via dynamic update prior to the
   scheduled publication and activation of the keys.  If you wish the