diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
index f4810aeeff..762e6aa585 100644
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@@ -99,9 +99,13 @@ up-to-date DNSSEC practices:
         type primary;
         file "dnssec.example.db";
         dnssec-policy default;
+        inline-signing yes;
     };
 
-This single line is sufficient to create the necessary signing keys, and generate
+The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or
+:any:`inline-signing` to be enabled. In the example above we use the latter.
+
+This is sufficient to create the necessary signing keys, and generate
 ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
 care of any DNSSEC maintenance for this zone, including replacing signatures
 that are about to expire and managing :ref:`key_rollovers`.
@@ -171,6 +175,7 @@ by configuring parental agents:
         type primary;
         file "dnssec.example.db";
         dnssec-policy default;
+        inline-signing yes;
         parental-agents { 192.0.2.1; };
     };
 
diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst
index cb2c3116e2..56eb1a514b 100644
--- a/doc/dnssec-guide/recipes.rst
+++ b/doc/dnssec-guide/recipes.rst
@@ -63,6 +63,7 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1
        file "db/example.com.db";
        key-directory "keys/example.com";
        dnssec-policy default;
+       inline-signing yes;
        allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
    };
 
@@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its
        file "db/example.com.db";
        key-directory "keys/example.com";
        dnssec-policy default;
+       inline-signing yes;
        allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
    };
 
@@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed:
        type primary;
        file "db/example.com.db";
        dnssec-policy "default";
+       inline-signing yes;
    };
 
 To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
@@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
        type primary;
        file "db/example.com.db";
        dnssec-policy "insecure";
+       inline-signing yes;
    };
 
 Then use :option:`rndc reload` to reload the zone.
diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index d1175cdb0a..7ed5b824af 100644
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -835,6 +835,7 @@ this example, we'll add it to the :any:`zone` statement:
    zone "example.net" in {
        ...
        dnssec-policy standard;
+       inline-signing yes;
        ...
    };
 
@@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt:
    zone "example.net" in {
        ...
        dnssec-policy standard;
+       inline-signing yes;
        parental-agents { "net"; };
        ...
    };