diff --git a/CHANGES b/CHANGES
index ed10a05d81..287df251c7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1180.	[func]		dnssec-keygen should always generate keys with
+			protocol 3 (DNSSEC), since it's less confusing
+			that way.
+
 1179.	[func]		Add SIG(0) support to nsupdate.
 
 1178.	[func]		Follow and cache (if appropriate) A6 and other
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index d4cc338043..ea85435bab 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.59 2001/11/15 19:44:52 bwelling Exp $ */
+/* $Id: dnssec-keygen.c,v 1.60 2002/01/21 10:13:19 bwelling Exp $ */
 
 #include <config.h>
 
@@ -79,7 +79,7 @@ usage(void) {
 		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 		"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -p <protocol>: "
-	       "default: 2 [email] for USER, 3 [dnssec] otherwise\n");
+	       "default: 3 [dnssec]\n");
 	fprintf(stderr, "    -s <strength> strength value this key signs DNS "
 		"records with (default: 0)\n");
 	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
@@ -270,12 +270,8 @@ main(int argc, char **argv) {
 
 	flags |= signatory;
 
-	if (protocol == -1) {
-		if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_USER)
-			protocol = DNS_KEYPROTO_EMAIL;
-		else
-			protocol = DNS_KEYPROTO_DNSSEC;
-	}
+	if (protocol == -1)
+		protocol = DNS_KEYPROTO_DNSSEC;
 
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		if (size > 0)
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index e8b5590d52..f8814affa5 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -16,7 +16,7 @@
  - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.3 2001/04/10 21:50:26 bwelling Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.4 2002/01/21 10:13:20 bwelling Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -156,8 +156,7 @@
 	<listitem>
 	  <para>
 	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 2 (email) for
-	       keys of type USER and 3 (DNSSEC) for all other key types.
+	       is a number between 0 and 255.  The default is 3 (DNSSEC).
 	       Other possible values for this argument are listed in
 	       RFC 2535 and its successors.
 	  </para>