prep 9.15.1

2025-08-28 21:17:54 +00:00 · 2019-06-03 19:29:39 +00:00 · 2019-06-03 19:29:39 +00:00 · 9bb0b30bc2
commit 9bb0b30bc2
parent 7dfef18b05
76 changed files with 904 additions and 646 deletions
--- a/2
+++ b/2
@ -2,6 +2,8 @@
 			statistics when hitting recursive clients
 			soft quota. [GL #1067]
 	--- 9.15.1 released ---
 5248.	[func]		To clarify the configuration of DNSSEC keys,
 			the "managed-keys" and "trusted-keys" options
 			have both been deprecated.  The new "dnssec-keys"
--- a/2
+++ b/2
@ -1,3 +1,5 @@
 CONTRIBUTING
 BIND Source Access and Contributor Guidelines
 Feb 22, 2018
--- a/10
+++ b/10
@ -1,3 +1,5 @@
 HISTORY
 Functional enhancements from prior major releases of BIND 9
 BIND 9.14
@ -505,11 +507,11 @@ BIND 9.4.0
  * Detect duplicates of UDP queries we are recursing on and drop them.
    New stats category "duplicates".
  * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a basis as some servers only appear to
+  * The lame cache is now done on a <qname,qclass,qtype> basis as some
-    be lame for certain query types.
+    servers only appear to be lame for certain query types.
  * Limit the number of recursive clients that can be waiting for a single
-    query () to resolve. New options clients-per-query and
+    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
-    max-clients-per-query.
+    and max-clients-per-query.
  * dig: report the number of extra bytes still left in the packet after
    processing all the records.
  * Support for IPSECKEY rdata type.
--- a/4
+++ b/4
@ -1,10 +1,12 @@
 OPTIONS
 Setting the STD_CDEFINES environment variable before running configure can
 be used to enable certain compile-time options that are not explicitly
 defined in configure.
 Some of these settings are:
-Setting                   Description
+         Setting                            Description
                          Overwrite memory with tag values when allocating
 -DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
                          makes debugging of memory problems easier.
--- a/27
+++ b/27
@ -1,3 +1,5 @@
 PLATFORMS
 Supported platforms
 In general, this version of BIND will build and run on any POSIX-compliant
@ -64,31 +66,6 @@ These are platforms on which BIND 9.15 is known not to build or run:
 Platform quirks
 ARM
 If the compilation ends with following error:
 Error: selected processor does not support `yield' in ARM mode
 You will need to set -march compiler option to native, so the compiler
 recognizes yield assembler instruction. The proper way to set -march=
 native would be to put it into CFLAGS, e.g. run ./configure like this:
 CFLAGS="-march=native -Os -g" ./configure plus your usual options.
 If that doesn't work, you can enforce the minimum CPU and FPU (taken from
 Debian armhf documentation):
  * The lowest worthwhile CPU implementation is Armv7-A, therefore the
    recommended build option is -march=armv7-a.
  * FPU should be set at VFPv3-D16 as they represent the minimum
    specification of the processors to support here, therefore the
    recommended build option is -mfpu=vfpv3-d16.
 The configure command should look like this:
 CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
 NetBSD 6 i386
 The i386 build of NetBSD requires the libatomic library, available from
--- a/40
+++ b/40
@ -1,3 +1,5 @@
 README
 BIND 9
 Contents
@ -134,7 +136,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
 Several environment variables that can be set before running configure
 will affect compilation:
-Variable       Description
+   Variable                            Description
 CC             The C compiler to use. configure tries to figure out the
               right one for supported systems.
               C compiler flags. Defaults to include -g and/or -O2 as
@ -187,8 +189,10 @@ operations, specify the path to the PKCS#11 provider library using
 To support the HTTP statistics channel, the server must be linked with at
 least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
+github.com/json-c. If these are installed at a nonstandard location, then:
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+
  * for libxml2, specify the prefix using --with-libxml2=/prefix,
  * for json-c, adjust PKG_CONFIG_PATH.
 To support compression on the HTTP statistics channel, the server must be
 linked against libzlib. If this is installed in a nonstandard location,
@ -286,7 +290,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
 changes listed first. Change notes include tags indicating the category of
 the change that was made; these categories are:
-Category       Description
+   Category                            Description
 [func]         New feature
 [bug]          General bug fix
 [security]     Fix for a significant security flaw
@ -321,8 +325,8 @@ issue number. Prior to 2018, these were usually of the form [RT #NNN] and
 referred to entries in the "bind9-bugs" RT database, which was not open to
 the public. More recent entries use the form [GL #NNN] or, less often, [GL
 !NNN], which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publically readable, unless they
+Gitlab database. Most of these are publicly readable, unless they include
-include information which is confidential or security senstive.
+information which is confidential or security senstive.
 To look up a Gitlab issue by its number, use the URL https://
 gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
@ -337,21 +341,23 @@ Acknowledgments
  * The original development of BIND 9 was underwritten by the following
    organizations:
-    Sun Microsystems, Inc.
+      Sun Microsystems, Inc.
-    Hewlett Packard
+      Hewlett Packard
-    Compaq Computer Corporation
+      Compaq Computer Corporation
-    IBM
+      IBM
-    Process Software Corporation
+      Process Software Corporation
-    Silicon Graphics, Inc.
+      Silicon Graphics, Inc.
-    Network Associates, Inc.
+      Network Associates, Inc.
-    U.S. Defense Information Systems Agency
+      U.S. Defense Information Systems Agency
-    USENIX Association
+      USENIX Association
-    Stichting NLnet - NLnet Foundation
+      Stichting NLnet - NLnet Foundation
-    Nominum, Inc.
+      Nominum, Inc.
  * This product includes software developed by the OpenSSL Project for
    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
  * This product includes cryptographic software written by Eric Young
    (eay@cryptsoft.com)
  * This product includes software written by Tim Hudson
    (tjh@cryptsoft.com)
--- a/README.md
+++ b/README.md
@ -332,7 +332,7 @@ issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
 and referred to entries in the "bind9-bugs" RT database, which was not open
 to the public. More recent entries use the form `[GL #NNN]` or, less often,
 `[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publically readable, unless they include
+Gitlab database. Most of these are publicly readable, unless they include
 information which is confidential or security senstive.
 To look up a Gitlab issue by its number, use the URL
--- a/bin/delv/delv.1
+++ b/bin/delv/delv.1
@ -146,14 +146,16 @@ to specify the name of a zone containing DLV records\&.
 Note: When reading the trust anchor file,
 \fBdelv\fR
 treats
-\fBmanaged\-keys\fR
+\fBdnssec\-keys\fR\fBinitial\-key\fR
-statements and
+and
-\fBtrusted\-keys\fR
+\fBstatic\-key\fR
-statements identically\&. That is, for a managed key, it is the
+entries identically\&. That is, even if a key is configured with
-\fIinitial\fR
+\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
 key that is trusted; RFC 5011 key management is not supported\&.
 \fBdelv\fR
-will not consult the managed\-keys database maintained by
+as if it had been configured as a
 \fBstatic\-key\fR\&.
 \fBdelv\fR
 does not consult the managed keys database maintained by
 \fBnamed\fR\&. This means that if either of the keys in
 /etc/bind\&.keys
 is revoked and rolled over, it will be necessary to update
--- a/bin/delv/delv.html
+++ b/bin/delv/delv.html
@ -200,14 +200,17 @@
 	  </p>
 	  <p>
 	    Note: When reading the trust anchor file,
-	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
+	    <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
-	    statements and <code class="option">trusted-keys</code> statements
+	    <code class="option">initial-key</code> and <code class="option">static-key</code>
-	    identically.  That is, for a managed key, it is the
+	    entries identically.  That is, even if a key is configured
-	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
+	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
-	    key management is not supported. <span class="command"><strong>delv</strong></span>
+	    meant to be used only as an initializing key for RFC 5011
-	    will not consult the managed-keys database maintained by
+	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
-	    <span class="command"><strong>named</strong></span>. This means that if either of the
+	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
-	    keys in <code class="filename">/etc/bind.keys</code> is revoked
+	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
 	    database maintained by <span class="command"><strong>named</strong></span>. This means
 	    that if either of the keys in
 	    <code class="filename">/etc/bind.keys</code> is revoked
 	    and rolled over, it will be necessary to update
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@ -589,11 +589,11 @@ A synonym for
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
 \fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when the
+normally sends recursive queries\&. Recursion is automatically disabled when using the
 \fI+nssearch\fR
-or
+option, and when using
 \fI+trace\fR
-query options are used\&.
+except for an initial recursive query to get the list of root servers\&.
 .RE
 .PP
 \fB+retry=T\fR
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@ -797,8 +797,10 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      the <em class="parameter"><code>+nssearch</code></em> or
+	      using the <em class="parameter"><code>+nssearch</code></em> option, and
-	      <em class="parameter"><code>+trace</code></em> query options are used.
+	      when using <em class="parameter"><code>+trace</code></em> except for
 	      an initial recursive query to get the list of root
 	      servers.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2018-12-07
+.\"      Date: 2019-05-10
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -97,6 +97,19 @@ dlz \fIstring\fR {
 .if n \{\
 .RE
 .\}
 .SH "DNSSEC-KEYS"
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
 dnssec\-keys { \fIstring\fR ( static\-key |
    initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
    \fIquoted_string\fR; \&.\&.\&. };
 .fi
 .if n \{\
 .RE
 .\}
 .SH "DYNDB"
 .sp
 .if n \{\
@ -149,13 +162,16 @@ logging {
 .RE
 .\}
 .SH "MANAGED-KEYS"
 .PP
 See DNSSEC\-KEYS\&.
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
+managed\-keys { \fIstring\fR ( static\-key |
-    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+    initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
    \fIquoted_string\fR; \&.\&.\&. };
 .fi
 .if n \{\
 .RE
@ -257,7 +273,6 @@ options {
 	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-enable \fIboolean\fR;
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-lookaside ( \fIstring\fR trust\-anchor
 	    \fIstring\fR | auto | no );
@ -409,11 +424,12 @@ options {
 	resolver\-retry\-interval \fIinteger\fR;
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
-	response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
+	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
-	    \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
+	    \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
-	    disabled | drop | given | no\-op | nodata | nxdomain | passthru
+	    \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
-	    | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
+	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
-	    nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
+	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
 	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
 	    min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
 	    nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
@ -551,13 +567,16 @@ statistics\-channels {
 .RE
 .\}
 .SH "TRUSTED-KEYS"
 .PP
 Deprecated \- see DNSSEC\-KEYS\&.
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
+trusted\-keys { \fIstring\fR \fIinteger\fR
-    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+    \fIinteger\fR \fIinteger\fR
    \fIquoted_string\fR; \&.\&.\&. };, deprecated
 .fi
 .if n \{\
 .RE
@ -638,7 +657,9 @@ view \fIstring\fR [ \fIclass\fR ] {
 	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	dnssec\-enable \fIboolean\fR;
+	dnssec\-keys { \fIstring\fR ( static\-key |
 	    initial\-key ) \fIinteger\fR \fIinteger\fR
 	    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-lookaside ( \fIstring\fR trust\-anchor
 	    \fIstring\fR | auto | no );
@ -676,9 +697,9 @@ view \fIstring\fR [ \fIclass\fR ] {
 	key\-directory \fIquoted_string\fR;
 	lame\-ttl \fIttlval\fR;
 	lmdb\-mapsize \fIsizeval\fR;
-	managed\-keys { \fIstring\fR \fIstring\fR
+	managed\-keys { \fIstring\fR ( static\-key |
-	    \fIinteger\fR \fIinteger\fR \fIinteger\fR
+	    initial\-key ) \fIinteger\fR \fIinteger\fR
-	    \fIquoted_string\fR; \&.\&.\&. };
+	    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
 	masterfile\-format ( map | raw | text );
 	masterfile\-style ( full | relative );
 	match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
@ -761,11 +782,12 @@ view \fIstring\fR [ \fIclass\fR ] {
 	resolver\-retry\-interval \fIinteger\fR;
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
-	response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
+	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
-	    \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
+	    \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
-	    disabled | drop | given | no\-op | nodata | nxdomain | passthru
+	    \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
-	    | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
+	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
-	    nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
+	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
 	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
 	    min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
 	    nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
@ -827,9 +849,10 @@ view \fIstring\fR [ \fIclass\fR ] {
 	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
 	    ] [ dscp \fIinteger\fR ];
 	trust\-anchor\-telemetry \fIboolean\fR; // experimental
-	trusted\-keys { \fIstring\fR \fIinteger\fR
+	trusted\-keys { \fIstring\fR
-	    \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
+	    \fIinteger\fR \fIinteger\fR
-	    \&.\&.\&. };
+	    \fIinteger\fR
 	    \fIquoted_string\fR; \&.\&.\&. };, deprecated
 	try\-tcp\-refresh \fIboolean\fR;
 	update\-check\-ksk \fIboolean\fR;
 	use\-alt\-transfer\-source \fIboolean\fR;
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@ -59,7 +59,6 @@
  <div class="refsection">
 <a name="id-1.8"></a><h2>ACL</h2>
    <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 </p></div>
@ -67,7 +66,6 @@ acl
  <div class="refsection">
 <a name="id-1.9"></a><h2>CONTROLS</h2>
    <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -85,7 +83,6 @@ controls
  <div class="refsection">
 <a name="id-1.10"></a><h2>DLZ</h2>
    <div class="literallayout"><p><br>
 dlz <em class="replaceable"><code>string</code></em> {<br>
 	database <em class="replaceable"><code>string</code></em>;<br>
@ -95,8 +92,16 @@ dlz
  </div>
  <div class="refsection">
-<a name="id-1.11"></a><h2>DYNDB</h2>
+<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
    <div class="literallayout"><p><br>
 dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.12"></a><h2>DYNDB</h2>
    <div class="literallayout"><p><br>
 dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
     <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -104,8 +109,7 @@ dyndb
  </div>
  <div class="refsection">
-<a name="id-1.12"></a><h2>KEY</h2>
+<a name="id-1.13"></a><h2>KEY</h2>
    <div class="literallayout"><p><br>
 key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -115,8 +119,7 @@ key
  </div>
  <div class="refsection">
-<a name="id-1.13"></a><h2>LOGGING</h2>
+<a name="id-1.14"></a><h2>LOGGING</h2>
    <div class="literallayout"><p><br>
 logging {<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -138,17 +141,17 @@ logging
  <div class="refsection">
-<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
-
+  <p>See DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
  </div>
  <div class="refsection">
-<a name="id-1.15"></a><h2>MASTERS</h2>
+<a name="id-1.16"></a><h2>MASTERS</h2>
    <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -158,8 +161,7 @@ masters
  </div>
  <div class="refsection">
-<a name="id-1.16"></a><h2>OPTIONS</h2>
+<a name="id-1.17"></a><h2>OPTIONS</h2>
    <div class="literallayout"><p><br>
 options {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -238,7 +240,6 @@ options
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
 	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -390,11 +391,12 @@ options
 	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
+	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-	    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
+	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-	    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
+	    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-	    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
-	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
 	    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -461,8 +463,7 @@ options
  </div>
  <div class="refsection">
-<a name="id-1.17"></a><h2>PLUGIN</h2>
+<a name="id-1.18"></a><h2>PLUGIN</h2>
    <div class="literallayout"><p><br>
 plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
     } ];<br>
@ -470,8 +471,7 @@ plugin
  </div>
  <div class="refsection">
-<a name="id-1.18"></a><h2>SERVER</h2>
+<a name="id-1.19"></a><h2>SERVER</h2>
    <div class="literallayout"><p><br>
 server <em class="replaceable"><code>netprefix</code></em> {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -509,8 +509,7 @@ server
  </div>
  <div class="refsection">
-<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
    <div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -522,17 +521,17 @@ statistics-channels
  </div>
  <div class="refsection">
-<a name="id-1.20"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
-
+  <p>Deprecated - see DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
-trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
 </p></div>
  </div>
  <div class="refsection">
-<a name="id-1.21"></a><h2>VIEW</h2>
+<a name="id-1.22"></a><h2>VIEW</h2>
    <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -604,7 +603,9 @@ view
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
 	    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
 	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
 	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -642,9 +643,9 @@ view
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
-	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 	masterfile-format ( map | raw | text );<br>
 	masterfile-style ( full | relative );<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -727,11 +728,12 @@ view
 	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
+	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-	    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
+	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-	    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
+	    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-	    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
-	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
 	    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -793,9 +795,10 @@ view
 	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
 	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
-	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	trusted-keys { <em class="replaceable"><code>string</code></em><br>
-	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-	    ... };<br>
+	    <em class="replaceable"><code>integer</code></em><br>
 	    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
@ -907,8 +910,7 @@ view
  </div>
  <div class="refsection">
-<a name="id-1.22"></a><h2>ZONE</h2>
+<a name="id-1.23"></a><h2>ZONE</h2>
    <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1007,14 +1009,14 @@ zone
  </div>
  <div class="refsection">
-<a name="id-1.23"></a><h2>FILES</h2>
+<a name="id-1.24"></a><h2>FILES</h2>
    <p><code class="filename">/etc/named.conf</code>
    </p>
  </div>
  <div class="refsection">
-<a name="id-1.24"></a><h2>SEE ALSO</h2>
+<a name="id-1.25"></a><h2>SEE ALSO</h2>
    <p><span class="citerefentry">
 	<span class="refentrytitle">ddns-confgen</span>(8)
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@ -284,7 +284,7 @@ maintain, and also requires the zone to be configured to allow dynamic DNS\&. (S
 .PP
 \fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
 .RS 4
-Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
+Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
 .sp
 .RS 4
 .ie n \{\
@ -296,7 +296,7 @@ Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC t
 .\}
 When run with the
 status
-keyword, prints the current status of the managed\-keys database\&.
+keyword, prints the current status of the managed keys database\&.
 .RE
 .sp
 .RS 4
@ -309,7 +309,7 @@ keyword, prints the current status of the managed\-keys database\&.
 .\}
 When run with the
 refresh
-keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&.
+keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval\&.
 .RE
 .sp
 .RS 4
@ -322,7 +322,7 @@ keyword, forces an immediate refresh query to be sent for all the managed keys,
 .\}
 When run with the
 sync
-keyword, forces an immediate dump of the managed\-keys database to disk (in the file
+keyword, forces an immediate dump of the managed keys database to disk (in the file
 managed\-keys\&.bind
 or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&.
 .RE
@ -337,7 +337,7 @@ or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal f
 .\}
 When run with the
 destroy
-keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
+keyword, the managed keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
 .sp
 Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used\&. However, key maintenance operations will cease until
 \fBnamed\fR
@ -515,8 +515,12 @@ timer\&.
 \fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
 .RS 4
 Dump the security roots (i\&.e\&., trust anchors configured via
-\fBtrusted\-keys\fR,
+\fBdnssec\-keys\fR
-\fBmanaged\-keys\fR, or
+statements, or the synonymous
 \fBmanaged\-keys\fR
 or the deprecated
 \fBtrusted\-keys\fR
 statements, or via
 \fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
 .sp
 If the first argument is "\-", then the output is returned via the
@ -697,7 +701,7 @@ Delete a given TKEY\-negotiated key from the server\&. (This does not apply to s
 .RS 4
 List the names of all TSIG keys currently configured for use by
 \fBnamed\fR
-in each view\&. The list both statically configured keys and dynamic TKEY\-negotiated keys\&.
+in each view\&. The list includes both statically configured keys and dynamic TKEY\-negotiated keys\&.
 .RE
 .PP
 \fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@ -378,7 +378,7 @@
 <dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
 	  <p>
-            Inspect and control the "managed-keys" database which
+            Inspect and control the "managed keys" database which
            handles RFC 5011 DNSSEC trust anchor maintenance. If a view
            is specified, these commands are applied to that view;
            otherwise they are applied to all views.
@ -387,14 +387,14 @@
 <li class="listitem">
              <p>
                When run with the <code class="literal">status</code> keyword, prints
-                the current status of the managed-keys database.
+                the current status of the managed keys database.
              </p>
            </li>
 <li class="listitem">
              <p>
                When run with the <code class="literal">refresh</code> keyword,
                forces an immediate refresh query to be sent for all
-                the managed keys, updating the managed-keys database
+                the managed keys, updating the managed keys database
                if any new keys are found, without waiting the normal
                refresh interval.
              </p>
@ -402,7 +402,7 @@
 <li class="listitem">
              <p>
                When run with the <code class="literal">sync</code> keyword, forces an
-                immediate dump of the managed-keys database to disk
+                immediate dump of the managed keys database to disk
                (in the file <code class="filename">managed-keys.bind</code> or
                (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
                This synchronizes the database with its journal file, so
@ -413,7 +413,7 @@
 <li class="listitem">
              <p>
                When run with the <code class="literal">destroy</code> keyword, the
-                managed-keys database is shut down and deleted, and all key
+                managed keys database is shut down and deleted, and all key
                maintenance is terminated.  This command should be used only
                with extreme caution.
              </p>
@ -653,9 +653,10 @@
 <dd>
 	  <p>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <span class="command"><strong>trusted-keys</strong></span>,
+	    configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
-	    <span class="command"><strong>managed-keys</strong></span>, or
+	    or the synonymous <span class="command"><strong>managed-keys</strong></span> or
-	    <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
+	    the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
 	    via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
 	    anchors for the specified views.  If no view is specified, all
 	    views are dumped.  Security roots will indicate whether
 	    they are configured as trusted keys, managed keys, or
@ -905,7 +906,7 @@
 	  <p>
 	    List the names of all TSIG keys currently configured
 	    for use by <span class="command"><strong>named</strong></span> in each view.  The
-	    list both statically configured keys and dynamic
+	    list includes both statically configured keys and dynamic
 	    TKEY-negotiated keys.
 	  </p>
 	</dd>
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@ -54,7 +54,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
 </dl></dd>
@ -913,7 +913,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
      <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
+<a name="generating_dnssec_keys"></a>Generating Keys</h3></div></div></div>
        <p>
          The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
@ -1042,8 +1042,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
          <strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
          if at least one trust anchor has been explicitly configured
          in <code class="filename">named.conf</code>
-          using a <span class="command"><strong>trusted-keys</strong></span> or
+          using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
-          <span class="command"><strong>managed-keys</strong></span> statement.
+          synonymous <span class="command"><strong>managed-keys</strong></span> or the deprecated
          <span class="command"><strong>trusted-keys</strong></span> statements).
        </p>
        <p>
          When <span class="command"><strong>dnssec-validation</strong></span> is set to
@ -1056,23 +1057,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
        </p>
        <p>
-          <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
+          The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
-          for zones that are used to form the first link in the
+          copies of DNSKEY RRs for zones that are used to form the
-          cryptographic chain of trust.  All keys listed in
+          first link in the cryptographic chain of trust.  Keys configured
-          <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
+          with the keyword <span class="command"><strong>static-key</strong></span> are loaded directly
-          are deemed to exist and only the listed keys will be used
+          into the table of trust anchors, and can only be changed by
-          to validated the DNSKEY RRset that they are from.
+          altering the configuration. Keys configured with
          <span class="command"><strong>initial-key</strong></span> are used to initialize
          RFC 5011 trust anchor maintenance, and will be kept up to
          date automatically after the first time <span class="command"><strong>named</strong></span>
          runs.
        </p>
        <p>
-          <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
+          <span class="command"><strong>dnssec-keys</strong></span> is described in more detail
          automatically kept up to date via RFC 5011 trust anchor
          maintenance.
        </p>
        <p>
          <span class="command"><strong>trusted-keys</strong></span> and
          <span class="command"><strong>managed-keys</strong></span> are described in more detail
          later in this document.
        </p>
@ -1095,7 +1093,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
        </p>
 <pre class="programlisting">
-managed-keys {
+dnssec-keys {
        /* Root Key */
        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@ -1107,11 +1105,8 @@ managed-keys {
                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
                                 dgxbcDTClU0CRBdiieyLMNzXG3";
 };
 trusted-keys {
        /* Key for our organization's forward zone */
-        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+        example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
@ -1124,7 +1119,7 @@ trusted-keys {
                              1OTQ09A0=";
        /* Key for our reverse zone. */
-        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+        2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
                                       xOdNax071L18QqZnQQQAVVr+i
                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
                                       gy3WwNT6kZo6c0tszYqbtvchm
@ -1516,11 +1511,11 @@ options {
    <p>To configure a validating resolver to use RFC 5011 to
    maintain a trust anchor, configure the trust anchor using a
-    <span class="command"><strong>managed-keys</strong></span> statement. Information about
+    <span class="command"><strong>dnssec-keys</strong></span> statement and the
    <span class="command"><strong>initial-key</strong></span> keyword. Information about
    this can be found in
-    <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
+    <a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
            and Usage&#8221;</a>.</p>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@ -2845,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@ -66,13 +66,16 @@
            Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
-            Usage</a></span></dt>
+              Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
@ -882,11 +885,17 @@
 </tr>
 <tr>
 <td>
-                <p><span class="command"><strong>trusted-keys</strong></span></p>
+                <p><span class="command"><strong>dnssec-keys</strong></span></p>
              </td>
 <td>
                <p>
-                  defines trusted DNSSEC keys.
+                  defines DNSSEC keys: if used with the
                  <span class="command"><strong>initial-key</strong></span> keyword,
                  keys are kept up to date using RFC 5011
                  trust anchor maintenance, and if used with
                  <span class="command"><strong>static-key</strong></span>, keys are permanent.
                  Identical to <span class="command"><strong>managed-keys</strong></span>,
                  but has been added for improved clarity.
                </p>
              </td>
 </tr>
@ -896,8 +905,22 @@
              </td>
 <td>
                <p>
-                  lists DNSSEC keys to be kept up to date
+                  is identical to <span class="command"><strong>dnssec-keys</strong></span>,
-                  using RFC 5011 trust anchor maintenance.
+                  and is retained for backward compatibility.
                </p>
              </td>
 </tr>
 <tr>
 <td>
                <p><span class="command"><strong>trusted-keys</strong></span></p>
              </td>
 <td>
                <p>
                  defines permanent trusted DNSSEC keys;
                  this option is deprecated in favor
                  of <span class="command"><strong>dnssec-keys</strong></span> with
                  the <span class="command"><strong>static-key</strong></span> keyword,
                  and may be removed in a future release.
                </p>
              </td>
 </tr>
@ -2438,7 +2461,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
 	<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
 	    <em class="replaceable"><code>string</code></em> | auto | no );
@ -2590,11 +2612,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>resolver-retry-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
 	    <em class="replaceable"><code>integer</code></em>;
-	<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl
+	<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
-	    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |
+	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval
-	    <span class="command"><strong>disabled</strong></span> | drop | given | no-op | nodata | nxdomain | passthru
+	    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
-	    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
+	    <span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
-	    <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [
+	    <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [
 	    <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
 	    <span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]
@ -2746,7 +2769,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                  configurable options be consistent among these
                  views:
                  <span class="command"><strong>check-names</strong></span>,
                  <span class="command"><strong>cleaning-interval</strong></span>,
                  <span class="command"><strong>dnssec-accept-expired</strong></span>,
                  <span class="command"><strong>dnssec-validation</strong></span>,
                  <span class="command"><strong>max-cache-ttl</strong></span>,
@ -3042,10 +3064,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 <dd>
              <p>
                Specifies the directory in which to store the files that
-                track managed DNSSEC keys.  By default, this is the working
+                track managed DNSSEC keys (i.e., those configured using
-                directory.  The directory <span class="emphasis"><em>must</em></span>
+                the <span class="command"><strong>initial-key</strong></span> keyword in a
-                be writable by the effective user ID of the
+                <span class="command"><strong>dnssec-keys</strong></span> statement).  By default,
-                <span class="command"><strong>named</strong></span> process.
+                this is the working directory.  The directory
                <span class="emphasis"><em>must</em></span> be writable by the effective
                user ID of the <span class="command"><strong>named</strong></span> process.
              </p>
              <p>
                If <span class="command"><strong>named</strong></span> is not configured to use views,
@ -3468,10 +3492,10 @@ options {
                then <span class="command"><strong>named</strong></span> will only accept answers if
                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
                DNSSEC validation applies allowing for insecure answers to
-                be accepted.  The specified domain must be under a
+                be accepted.  The specified domain must be defined as a
-                <span class="command"><strong>trusted-keys</strong></span> or
+                trust anchor, for instance in a <span class="command"><strong>dnssec-keys</strong></span>
-                <span class="command"><strong>managed-keys</strong></span> statement, or
+                statement, or <span class="command"><strong>dnssec-validation auto</strong></span> must
-                <span class="command"><strong>dnssec-validation auto</strong></span> must be active.
+                be active.
              </p>
            </dd>
 <dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
@ -4459,8 +4483,8 @@ options {
                <p>
                  Causes <span class="command"><strong>named</strong></span> to send specially-formed
                  queries once per day to domains for which trust anchors
-                  have been configured via <span class="command"><strong>trusted-keys</strong></span>,
+                  have been configured via, e.g.,
-                  <span class="command"><strong>managed-keys</strong></span>, or
+                  <span class="command"><strong>dnssec-keys</strong></span> or
                  <span class="command"><strong>dnssec-validation auto</strong></span>.
                </p>
                <p>
@ -4651,10 +4675,11 @@ options {
                <p>
                  If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
                  enabled, but a trust anchor must be manually configured
-                  using a <span class="command"><strong>trusted-keys</strong></span>
+                  using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
-                  or <span class="command"><strong>managed-keys</strong></span> statement; if there
+                  the synonymous <span class="command"><strong>managed-keys</strong></span>, or the
-                  is no configured trust anchor, validation will not take
+                  deprecated <span class="command"><strong>trusted-keys</strong></span> statements).
-                  place.
+                  If there is no configured trust anchor, validation will
                  not take place.
                </p>
                <p>
                  If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
@ -6441,14 +6466,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
 <dd>
                <p>
-                  This interval is effectively obsolete.  Previously,
+                  This option is obsolete.
                  the server would remove expired resource records
                  from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
                  <acronym class="acronym">BIND</acronym> 9 now manages cache
                  memory in a more sophisticated manner and does not
                  rely on the periodic cleaning any more.
                  Specifying this option therefore has no effect on
                  the server's behavior.
                </p>
              </dd>
 <dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
@ -8691,10 +8709,10 @@ example.com                 CNAME   rpz-tcp-only.
          </p>
        </div>
-      <div class="section">
+        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+          <pre class="programlisting">
 <span class="command"><strong>statistics-channels</strong></span> {
 	<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
@ -8702,260 +8720,244 @@ example.com                 CNAME   rpz-tcp-only.
 	    } ];
 };
 </pre>
-      </div>
+        </div>
      <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
            Usage</h3></div></div></div>
        <p>
          The <span class="command"><strong>statistics-channels</strong></span> statement
          declares communication channels to be used by system
          administrators to get access to statistics information of
          the name server.
        </p>
        <p>
          This statement intends to be flexible to support multiple
          communication protocols in the future, but currently only
          HTTP access is supported.
          It requires that BIND 9 be compiled with libxml2 and/or
          json-c (also known as libjson0); the
          <span class="command"><strong>statistics-channels</strong></span> statement is
          still accepted even if it is built without the library,
          but any HTTP access will fail with an error.
        </p>
        <p>
          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
          (asterisk) is
          interpreted as the IPv4 wildcard address; connections will be
          accepted on any of the system's IPv4 addresses.
          To listen on the IPv6 wildcard address,
          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
        </p>
        <p>
          If no port is specified, port 80 is used for HTTP channels.
          The asterisk "<code class="literal">*</code>" cannot be used for
          <span class="command"><strong>ip_port</strong></span>.
        </p>
        <p>
          The attempt of opening a statistics channel is
          restricted by the optional <span class="command"><strong>allow</strong></span> clause.
          Connections to the statistics channel are permitted based on the
          <span class="command"><strong>address_match_list</strong></span>.
          If no <span class="command"><strong>allow</strong></span> clause is present,
          <span class="command"><strong>named</strong></span> accepts connection
          attempts from any address; since the statistics may
          contain sensitive internal information, it is highly
          recommended to restrict the source of connection requests
          appropriately.
        </p>
        <p>
          If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
          <span class="command"><strong>named</strong></span> will not open any communication channels.
        </p>
        <p>
          The statistics are available in various formats and views
          depending on the URI used to access them.  For example, if
          the statistics channel is configured to listen on 127.0.0.1
          port 8888, then the statistics are accessible in XML format at
          <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
          <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
          included which can format the XML statistics into tables
          when viewed with a stylesheet-capable browser, and into
          charts and graphs using the Google Charts API when using a
          javascript-capable browser.
        </p>
        <p>
          Broken-out subsets of the statistics can be viewed at
          <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
          (server uptime and last reconfiguration time),
          <a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
          (server and resolver statistics),
          <a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
          (zone statistics),
          <a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
          (network status and socket statistics),
          <a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
          (memory manager statistics),
          <a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
          (task manager statistics), and
          <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
          (traffic sizes).
        </p>
        <p>
          The full set of statistics can also be read in JSON format at
          <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
          with the broken-out subsets at
          <a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
          (server uptime and last reconfiguration time),
          <a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
          (server and resolver statistics),
          <a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
          (zone statistics),
          <a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
          (network status and socket statistics),
          <a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
          (memory manager statistics),
          <a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
          (task manager statistics), and
          <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
          (traffic sizes).
        </p>
      </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
              Usage</h3></div></div></div>
          <p>
            The <span class="command"><strong>statistics-channels</strong></span> statement
            declares communication channels to be used by system
            administrators to get access to statistics information of
            the name server.
          </p>
          <p>
            This statement intends to be flexible to support multiple
            communication protocols in the future, but currently only
            HTTP access is supported.
            It requires that BIND 9 be compiled with libxml2 and/or
            json-c (also known as libjson0); the
            <span class="command"><strong>statistics-channels</strong></span> statement is
            still accepted even if it is built without the library,
            but any HTTP access will fail with an error.
          </p>
          <p>
            An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
            listening at the specified <span class="command"><strong>ip_port</strong></span> on the
            specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
            address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
            (asterisk) is
            interpreted as the IPv4 wildcard address; connections will be
            accepted on any of the system's IPv4 addresses.
            To listen on the IPv6 wildcard address,
            use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
          </p>
          <p>
            If no port is specified, port 80 is used for HTTP channels.
            The asterisk "<code class="literal">*</code>" cannot be used for
            <span class="command"><strong>ip_port</strong></span>.
          </p>
          <p>
            The attempt of opening a statistics channel is
            restricted by the optional <span class="command"><strong>allow</strong></span> clause.
            Connections to the statistics channel are permitted based on the
            <span class="command"><strong>address_match_list</strong></span>.
            If no <span class="command"><strong>allow</strong></span> clause is present,
            <span class="command"><strong>named</strong></span> accepts connection
            attempts from any address; since the statistics may
            contain sensitive internal information, it is highly
            recommended to restrict the source of connection requests
            appropriately.
          </p>
          <p>
            If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
            <span class="command"><strong>named</strong></span> will not open any communication channels.
          </p>
          <p>
            The statistics are available in various formats and views
            depending on the URI used to access them.  For example, if
            the statistics channel is configured to listen on 127.0.0.1
            port 8888, then the statistics are accessible in XML format at
            <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
            <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
            included which can format the XML statistics into tables
            when viewed with a stylesheet-capable browser, and into
            charts and graphs using the Google Charts API when using a
            javascript-capable browser.
          </p>
          <p>
            Broken-out subsets of the statistics can be viewed at
            <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
            (server uptime and last reconfiguration time),
            <a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
            (server and resolver statistics),
            <a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
            (zone statistics),
            <a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
            (network status and socket statistics),
            <a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
            (memory manager statistics),
            <a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
            (task manager statistics), and
            <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
            (traffic sizes).
          </p>
          <p>
            The full set of statistics can also be read in JSON format at
            <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
            with the broken-out subsets at
            <a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
            (server uptime and last reconfiguration time),
            <a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
            (server and resolver statistics),
            <a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
            (zone statistics),
            <a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
            (network status and socket statistics),
            <a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
            (memory manager statistics),
            <a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
            (task manager statistics), and
            <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
            (traffic sizes).
          </p>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
        <pre class="programlisting">
-<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
+    <span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
    <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+<a name="dnssec-keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
            and Usage</h3></div></div></div>
          <p>
-            The <span class="command"><strong>trusted-keys</strong></span> statement defines
+            The <span class="command"><strong>dnssec-keys</strong></span> statement defines DNSSEC
-            DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
+            trust anchors.  DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>.
            public key for a non-authoritative zone is known, but
            cannot be securely obtained through DNS, either because
            it is the DNS root zone or because its parent zone is
            unsigned.  Once a key has been configured as a trusted
            key, it is treated as if it had been validated and
            proven secure. The resolver attempts DNSSEC validation
            on all DNS data in subdomains of a security root.
          </p>
          <p>
-            All keys (and corresponding zones) listed in
+            A trust anchor is defined when the public key for
-            <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
+            a non-authoritative zone is known, but cannot be securely
-            of what parent zones say.  Similarly for all keys listed in
+            obtained through DNS, either because it is the DNS root zone
-            <span class="command"><strong>trusted-keys</strong></span> only those keys are
+            or because its parent zone is unsigned.  Once a key has been
-            used to validate the DNSKEY RRset.  The parent's DS RRset
+            configured as a trust anchor, it is treated as if it had
-            will not be used.
+            been validated and proven secure.
          </p>
          <p>
-            The <span class="command"><strong>trusted-keys</strong></span> statement can contain
+            The resolver attempts DNSSEC validation on all DNS data
            in subdomains of configured trust anchors.  (Validation below
            specified names can be temporarily disabled by using
            <span class="command"><strong>rndc nta</strong></span>, or permanently disabled with
            the <span class="command"><strong>validate-except</strong></span> option).
          </p>
          <p>
            All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
            their corresponding zones, are deemed to exist regardless
            of what parent zones say.   Only keys configured as trust anchors
            are used to validate the DNSKEY RRset for the corresponding
            name.  The parent's DS RRset will not be used.
          </p>
          <p>
            The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
            multiple key entries, each consisting of the key's
-            domain name, flags, protocol, algorithm, and the Base64
+            domain name, followed by the <span class="command"><strong>static-key</strong></span> or
-            representation of the key data.
+            <span class="command"><strong>initial-key</strong></span> keyword, then the key's flags,
-            Spaces, tabs, newlines and carriage returns are ignored
+            protocol, algorithm, and the Base64 representation of the key
            data.  Spaces, tabs, newlines and carriage returns are ignored
            in the key data, so the configuration may be split up into
            multiple lines.
          </p>
          <p>
-            <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
+            <span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
            of <code class="filename">named.conf</code> or within a view.  If it is
-            set in both places, they are additive: keys defined at the top
+            set in both places, the configurations are additive: keys
-            level are inherited by all views, but keys defined in a view
+            defined at the top level are inherited by all views, but keys
-            are only used within that view.
+            defined in a view are only used within that view.
          </p>
          <p>
-            Validation below specified names can be temporarily disabled
+            <span class="command"><strong>dnssec-keys</strong></span> entries can be configured with
-            by using <span class="command"><strong>rndc nta</strong></span>.
+            two keywords: <span class="command"><strong>static-key</strong></span> or
-          </p>
+            <span class="command"><strong>initial-key</strong></span>.  Keys configured with
-        </div>
+            <span class="command"><strong>static-key</strong></span> are immutable,
-
+            while keys configured with <span class="command"><strong>initial-key</strong></span>
-        <div class="section">
+            can be kept up to date automatically, without intervention
-<div class="titlepage"><div><div><h3 class="title">
+            from the resolver operator. (<span class="command"><strong>static-key</strong></span>
-<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+            keys are identical to keys configured using the deprecated
-        <pre class="programlisting">
+            <span class="command"><strong>trusted-keys</strong></span> statement.)
 <span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</h3></div></div></div>
          <p>
            The <span class="command"><strong>managed-keys</strong></span> statement, like
            <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
            security roots.  The difference is that
            <span class="command"><strong>managed-keys</strong></span> can be kept up to date
            automatically, without intervention from the resolver
            operator.
          </p>
          <p>
            Suppose, for example, that a zone's key-signing
            key was compromised, and the zone owner had to revoke and
-            replace the key.  A resolver which had the old key in a
+            replace the key.  A resolver which had the original key
-            <span class="command"><strong>trusted-keys</strong></span> statement would be
+            configured as a <span class="command"><strong>static-key</strong></span> would be
            unable to validate this zone any longer; it would
            reply with a SERVFAIL response code.  This would
            continue until the resolver operator had updated the
-            <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
+            <span class="command"><strong>dnssec-keys</strong></span> statement with the new key.
          </p>
          <p>
-            If, however, the zone were listed in a
+            If, however, the trust anchor had been configured with
-            <span class="command"><strong>managed-keys</strong></span> statement instead, then the
+            <span class="command"><strong>initial-key</strong></span> instead, then the
-            zone owner could add a "stand-by" key to the zone in advance.
+            zone owner could add a "stand-by" key to their zone in advance.
            <span class="command"><strong>named</strong></span> would store the stand-by key, and
            when the original key was revoked, <span class="command"><strong>named</strong></span>
            would be able to transition smoothly to the new key.  It would
            also recognize that the old key had been revoked, and cease
            using that key to validate answers, minimizing the damage that
-            the compromised key could do.
+            the compromised key could do. This is the process used to
            keep the ICANN root DNSSEC key up to date.
          </p>
          <p>
-            A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
+            Whereas <span class="command"><strong>static-key</strong></span>
-            the keys to be managed, along with information about how the
+            keys continue to be trusted until they are removed from
-            keys are to be initialized for the first time.  The only
+            <code class="filename">named.conf</code>, an
-            initialization method currently supported is
+            <span class="command"><strong>initial-key</strong></span> is only trusted
-            <code class="literal">initial-key</code>.
+            <span class="emphasis"><em>once</em></span>: for as long as it
-            This means the <span class="command"><strong>managed-keys</strong></span> statement must
+            takes to load the managed key database and start the RFC 5011
-            contain a copy of the initializing key.  (Future releases may
+            key maintenance process.
            allow keys to be initialized by other methods, eliminating this
            requirement.)
          </p>
          <p>
-            Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
+            The first time <span class="command"><strong>named</strong></span> runs with an
-            appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
+            <span class="command"><strong>initial-key</strong></span> configured in
-            in the presence of the second field, containing the keyword
+            <code class="filename">named.conf</code>, it fetches the
            <code class="literal">initial-key</code>.  The difference is, whereas the
            keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
            trusted until they are removed from
            <code class="filename">named.conf</code>, an initializing key listed
            in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
            <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
            managed key database and start the RFC 5011 key maintenance
            process.
          </p>
          <p>
            The first time <span class="command"><strong>named</strong></span> runs with a managed key
            configured in <code class="filename">named.conf</code>, it fetches the
            DNSKEY RRset directly from the zone apex, and validates it
-            using the key specified in the <span class="command"><strong>managed-keys</strong></span>
+            using the key specified in <span class="command"><strong>dnssec-keys</strong></span>.
-            statement.  If the DNSKEY RRset is validly signed, then it is
+            If the DNSKEY RRset is validly signed, then it is
            used as the basis for a new managed keys database.
          </p>
          <p>
            From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
-            sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
+            sees the <span class="command"><strong>initial-key</strong></span> listed in
            <span class="command"><strong>dnssec-keys</strong></span>, checks to
            make sure RFC 5011 key maintenance has already been initialized
            for the specified domain, and if so, it simply moves on.  The
-            key specified in the <span class="command"><strong>managed-keys</strong></span>
+            key specified in the <span class="command"><strong>dnssec-keys</strong></span>
-            statement is not used to validate answers; it has been
+            statement is not used to validate answers; it is
-            superseded by the key or keys stored in the managed keys database.
+            superseded by the key or keys stored in the managed keys
            database.
          </p>
          <p>
-            The next time <span class="command"><strong>named</strong></span> runs after a name
+            The next time <span class="command"><strong>named</strong></span> runs after an
-            has been <span class="emphasis"><em>removed</em></span> from the
+            <span class="command"><strong>initial-key</strong></span> has been
-            <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
+            <span class="emphasis"><em>removed</em></span> from the
            <span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
            a <span class="command"><strong>static-key</strong></span>), the corresponding
            zone will be removed from the managed keys database,
            and RFC 5011 key maintenance will no longer be used for that
            domain.
@ -8990,8 +8992,8 @@ example.com                 CNAME   rpz-tcp-only.
          <p>
            If the <span class="command"><strong>dnssec-validation</strong></span> option is
            set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
-            will automatically initialize a managed key for the
+            will automatically initialize an <span class="command"><strong>initial-key</strong></span>
-            root zone.  The key that is used to initialize the key
+            for the root zone.  The key that is used to initialize the key
            maintenance process is stored in <code class="filename">bind.keys</code>;
            the location of this file can be overridden with the
            <span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
@ -9003,6 +9005,48 @@ example.com                 CNAME   rpz-tcp-only.
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
        <pre class="programlisting">
 <span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
    <span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
    <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</h3></div></div></div>
          <p>
            The <span class="command"><strong>managed-keys</strong></span> statement is
            identical to the <span class="command"><strong>dnssec-keys</strong></span>, and is
            retained for backward compatibility.
          </p>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
        <pre class="programlisting">
 <span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated
 </pre>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
            and Usage</h3></div></div></div>
          <p>
            The <span class="command"><strong>trusted-keys</strong></span> statement has been
            deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar&#8221;</a>
            with the <span class="command"><strong>static</strong></span> keyword.
          </p>
        </div>
        <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
@ -14869,6 +14913,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -55,7 +55,7 @@
 </div>
      <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@ -145,7 +145,15 @@
 	<p>
 	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
 	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+	  exhaustion of file descriptors. This flaw is disclosed in
 	  CVE-2018-5743. [GL #615]
 	</p>
      </li>
 <li class="listitem">
 	<p>
 	  A race condition could trigger an assertion failure when
 	  a large number of incoming packets were being rejected.
 	  This flaw is disclosed in CVE-2019-6471. [GL #942]
 	</p>
      </li>
 </ul></div>
@ -154,37 +162,76 @@
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
 	  In order to clarify the configuration of DNSSEC keys,
 	  the <span class="command"><strong>trusted-keys</strong></span> and
 	  <span class="command"><strong>managed-keys</strong></span> statements have been
 	  deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
 	  statement should now be used for both types of key.
 	</p>
 	<p>
 	  When used with the keyword <span class="command"><strong>initial-key</strong></span>,
 	  <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
 	  <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
 	  a trust anchor that is to be maintained via RFC 5011.
 	</p>
 	<p>
 	  When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
 	  has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
 	  configuring a permanent trust anchor that will not automatically
 	  be updated.  (This usage is not recommended for the root key.)
 	  [GL #6]
 	</p>
      </li>
 <li class="listitem">
 	<p>
 	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
 	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
 	  should be included in the additional section of RPZ responses.
 	  [GL #865]
        </p>
-      </li></ul></div>
+      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
 	  The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
 	  no longer has any effect. DNSSEC responses are always enabled
 	  if signatures and other DNSSEC data are present. [GL #866]
 	</p>
-      </li></ul></div>
+      </li>
 <li class="listitem">
 	<p>
 	  The <span class="command"><strong>cleaning-interval</strong></span> option has been
 	  removed.  [GL !1731]
 	</p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
 	  <span class="command"><strong>named</strong></span> will now log a warning if
 	  a static key is configured for the root zone, or if
 	  any key is configured for "dlv.isc.org", which has been shut
 	  down. [GL #6]
 	</p>
      </li>
 <li class="listitem">
 	<p>
-	  When <span class="command"><strong>trusted-keys</strong></span> and
+	  When static and managed DNSSEC keys were both configured for the
-	  <span class="command"><strong>managed-keys</strong></span> were both configured for the
+	  same name, or when a static key was used to
 	  same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
 	  configure a trust anchor for the root zone and
 	  <span class="command"><strong>dnssec-validation</strong></span> was set to the default
 	  value of <code class="literal">auto</code>, automatic RFC 5011 key
@ -209,13 +256,26 @@
 	  <span class="command"><strong>dnssec-checkds</strong></span>.
 	</p>
      </li>
 <li class="listitem">
 	<p>
 	  JSON-C is now the only supported library for enabling JSON
 	  support for BIND statistics. The <span class="command"><strong>configure</strong></span>
 	  option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
 	  to <span class="command"><strong>--with-json-c</strong></span>.  Use
 	  <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
 	  the <span class="command"><strong>json-c</strong></span> library as the new
 	  <span class="command"><strong>configure</strong></span> option does not take the library
 	  installation path as an optional argument.
 	</p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
 	  The <span class="command"><strong>allow-update</strong></span> and
 	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
@ -224,14 +284,26 @@
 	  This has now been corrected.
 	  [GL #913]
 	</p>
-      </li></ul></div>
+      </li>
 <li class="listitem">
        <p>
 	  When <span class="command"><strong>qname-minimization</strong></span> was set to
          <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
          would fail to resolve, but would have succeeded when minimization
          was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
          resolution in such cases, and also uses type A rather than NS for
          minimal queries in order to reduce the likelihood of encountering
          the problem. [GL #1055]
 	</p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
    <p>
-      BIND is open source software licenced under the terms of the Mozilla
+      BIND is open source software licensed under the terms of the Mozilla
      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
      file for the full text).
    </p>
@ -299,6 +371,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@ -170,10 +170,14 @@ $ <strong class="userinput"><code>make</code></strong>
      parameters. By default the path to this configuration file is
      <code class="filename">/etc/dns.conf</code>.  This module is very experimental
      and the configuration syntax or library interfaces may change in
-      future versions. Currently, only the <span class="command"><strong>trusted-keys</strong></span>
+      future versions.  Currently, only static key configuration is supported.
-      statement is supported, whose syntax is the same as the same
+      <span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
-      statement in <code class="filename">named.conf</code>. (See
+      statements are parsed exactly as they are in
-      <a class="xref" href="Bv9ARM.ch05.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span class="command"><strong>trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)
+      <code class="filename">named.conf</code>, except that all
      <span class="command"><strong>managed-keys</strong></span> entries will be treated as
      if they were configured with the <span class="command"><strong>static-key</strong></span>
      keyword, even if they are configured with <span class="command"><strong>initial-key</strong></span>.
      (See <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Grammar">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Grammar&#8221;</a> for syntax details.)
    </p>
  </div>
  <div class="section">
@ -533,6 +537,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.0</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.1</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@ -102,7 +102,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
 </dl></dd>
@ -191,13 +191,16 @@
            Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
-            Usage</a></span></dt>
+              Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
            and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
@ -242,7 +245,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@ -440,6 +443,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@ -218,14 +218,17 @@
 	  </p>
 	  <p>
 	    Note: When reading the trust anchor file,
-	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
+	    <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
-	    statements and <code class="option">trusted-keys</code> statements
+	    <code class="option">initial-key</code> and <code class="option">static-key</code>
-	    identically.  That is, for a managed key, it is the
+	    entries identically.  That is, even if a key is configured
-	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
+	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
-	    key management is not supported. <span class="command"><strong>delv</strong></span>
+	    meant to be used only as an initializing key for RFC 5011
-	    will not consult the managed-keys database maintained by
+	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
-	    <span class="command"><strong>named</strong></span>. This means that if either of the
+	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
-	    keys in <code class="filename">/etc/bind.keys</code> is revoked
+	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
 	    database maintained by <span class="command"><strong>named</strong></span>. This means
 	    that if either of the keys in
 	    <code class="filename">/etc/bind.keys</code> is revoked
 	    and rolled over, it will be necessary to update
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
@ -625,6 +628,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@ -815,8 +815,10 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      the <em class="parameter"><code>+nssearch</code></em> or
+	      using the <em class="parameter"><code>+nssearch</code></em> option, and
-	      <em class="parameter"><code>+trace</code></em> query options are used.
+	      when using <em class="parameter"><code>+trace</code></em> except for
 	      an initial recursive query to get the list of root
 	      servers.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
@ -1158,6 +1160,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@ -164,6 +164,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@ -356,6 +356,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@ -557,6 +557,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@ -701,6 +701,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@ -604,6 +604,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@ -208,6 +208,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@ -77,7 +77,6 @@
  <div class="refsection">
 <a name="id-1.13.27.8"></a><h2>ACL</h2>
    <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 </p></div>
@ -85,7 +84,6 @@ acl
  <div class="refsection">
 <a name="id-1.13.27.9"></a><h2>CONTROLS</h2>
    <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -103,7 +101,6 @@ controls
  <div class="refsection">
 <a name="id-1.13.27.10"></a><h2>DLZ</h2>
    <div class="literallayout"><p><br>
 dlz <em class="replaceable"><code>string</code></em> {<br>
 	database <em class="replaceable"><code>string</code></em>;<br>
@ -113,8 +110,16 @@ dlz
  </div>
  <div class="refsection">
-<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
+<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
    <div class="literallayout"><p><br>
 dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
  </div>
  <div class="refsection">
 <a name="id-1.13.27.12"></a><h2>DYNDB</h2>
    <div class="literallayout"><p><br>
 dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
     <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -122,8 +127,7 @@ dyndb
  </div>
  <div class="refsection">
-<a name="id-1.13.27.12"></a><h2>KEY</h2>
+<a name="id-1.13.27.13"></a><h2>KEY</h2>
    <div class="literallayout"><p><br>
 key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -133,8 +137,7 @@ key
  </div>
  <div class="refsection">
-<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
+<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
    <div class="literallayout"><p><br>
 logging {<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -156,17 +159,17 @@ logging
  <div class="refsection">
-<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
-
+  <p>See DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
  </div>
  <div class="refsection">
-<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
+<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
    <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -176,8 +179,7 @@ masters
  </div>
  <div class="refsection">
-<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
+<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
    <div class="literallayout"><p><br>
 options {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -256,7 +258,6 @@ options
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
 	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -408,11 +409,12 @@ options
 	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
+	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-	    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
+	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-	    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
+	    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-	    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
-	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
 	    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -479,8 +481,7 @@ options
  </div>
  <div class="refsection">
-<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
+<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
    <div class="literallayout"><p><br>
 plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
     } ];<br>
@ -488,8 +489,7 @@ plugin
  </div>
  <div class="refsection">
-<a name="id-1.13.27.18"></a><h2>SERVER</h2>
+<a name="id-1.13.27.19"></a><h2>SERVER</h2>
    <div class="literallayout"><p><br>
 server <em class="replaceable"><code>netprefix</code></em> {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -527,8 +527,7 @@ server
  </div>
  <div class="refsection">
-<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
    <div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -540,17 +539,17 @@ statistics-channels
  </div>
  <div class="refsection">
-<a name="id-1.13.27.20"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
-
+  <p>Deprecated - see DNSSEC-KEYS.</p>
    <div class="literallayout"><p><br>
-trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
 </p></div>
  </div>
  <div class="refsection">
-<a name="id-1.13.27.21"></a><h2>VIEW</h2>
+<a name="id-1.13.27.22"></a><h2>VIEW</h2>
    <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -622,7 +621,9 @@ view
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
 	    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
 	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
 	    <em class="replaceable"><code>string</code></em> | auto | no );<br>
@ -660,9 +661,9 @@ view
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
-	managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
+	managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+	    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-	    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 	masterfile-format ( map | raw | text );<br>
 	masterfile-style ( full | relative );<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -745,11 +746,12 @@ view
 	resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
-	response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
+	response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
-	    <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
+	    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
-	    disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
+	    <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-	    | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
+	    nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
-	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
 	    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
@ -811,9 +813,10 @@ view
 	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
 	    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
 	trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
-	trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+	trusted-keys { <em class="replaceable"><code>string</code></em><br>
-	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+	    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-	    ... };<br>
+	    <em class="replaceable"><code>integer</code></em><br>
 	    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
@ -925,8 +928,7 @@ view
  </div>
  <div class="refsection">
-<a name="id-1.13.27.22"></a><h2>ZONE</h2>
+<a name="id-1.13.27.23"></a><h2>ZONE</h2>
    <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -1025,14 +1027,14 @@ zone
  </div>
  <div class="refsection">
-<a name="id-1.13.27.23"></a><h2>FILES</h2>
+<a name="id-1.13.27.24"></a><h2>FILES</h2>
    <p><code class="filename">/etc/named.conf</code>
    </p>
  </div>
  <div class="refsection">
-<a name="id-1.13.27.24"></a><h2>SEE ALSO</h2>
+<a name="id-1.13.27.25"></a><h2>SEE ALSO</h2>
    <p><span class="citerefentry">
 	<span class="refentrytitle">ddns-confgen</span>(8)
@ -1073,6 +1075,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@ -394,7 +394,7 @@
 <dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
 	  <p>
-            Inspect and control the "managed-keys" database which
+            Inspect and control the "managed keys" database which
            handles RFC 5011 DNSSEC trust anchor maintenance. If a view
            is specified, these commands are applied to that view;
            otherwise they are applied to all views.
@ -403,14 +403,14 @@
 <li class="listitem">
              <p>
                When run with the <code class="literal">status</code> keyword, prints
-                the current status of the managed-keys database.
+                the current status of the managed keys database.
              </p>
            </li>
 <li class="listitem">
              <p>
                When run with the <code class="literal">refresh</code> keyword,
                forces an immediate refresh query to be sent for all
-                the managed keys, updating the managed-keys database
+                the managed keys, updating the managed keys database
                if any new keys are found, without waiting the normal
                refresh interval.
              </p>
@ -418,7 +418,7 @@
 <li class="listitem">
              <p>
                When run with the <code class="literal">sync</code> keyword, forces an
-                immediate dump of the managed-keys database to disk
+                immediate dump of the managed keys database to disk
                (in the file <code class="filename">managed-keys.bind</code> or
                (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
                This synchronizes the database with its journal file, so
@ -429,7 +429,7 @@
 <li class="listitem">
              <p>
                When run with the <code class="literal">destroy</code> keyword, the
-                managed-keys database is shut down and deleted, and all key
+                managed keys database is shut down and deleted, and all key
                maintenance is terminated.  This command should be used only
                with extreme caution.
              </p>
@ -669,9 +669,10 @@
 <dd>
 	  <p>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <span class="command"><strong>trusted-keys</strong></span>,
+	    configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
-	    <span class="command"><strong>managed-keys</strong></span>, or
+	    or the synonymous <span class="command"><strong>managed-keys</strong></span> or
-	    <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
+	    the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
 	    via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
 	    anchors for the specified views.  If no view is specified, all
 	    views are dumped.  Security roots will indicate whether
 	    they are configured as trusted keys, managed keys, or
@ -921,7 +922,7 @@
 	  <p>
 	    List the names of all TSIG keys currently configured
 	    for use by <span class="command"><strong>named</strong></span> in each view.  The
-	    list both statically configured keys and dynamic
+	    list includes both statically configured keys and dynamic
 	    TKEY-negotiated keys.
 	  </p>
 	</dd>
@ -1017,6 +1018,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@ -15,7 +15,7 @@
  <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@ -105,7 +105,15 @@
 	<p>
 	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
 	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+	  exhaustion of file descriptors. This flaw is disclosed in
 	  CVE-2018-5743. [GL #615]
 	</p>
      </li>
 <li class="listitem">
 	<p>
 	  A race condition could trigger an assertion failure when
 	  a large number of incoming packets were being rejected.
 	  This flaw is disclosed in CVE-2019-6471. [GL #942]
 	</p>
      </li>
 </ul></div>
@ -114,37 +122,76 @@
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
 	  In order to clarify the configuration of DNSSEC keys,
 	  the <span class="command"><strong>trusted-keys</strong></span> and
 	  <span class="command"><strong>managed-keys</strong></span> statements have been
 	  deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
 	  statement should now be used for both types of key.
 	</p>
 	<p>
 	  When used with the keyword <span class="command"><strong>initial-key</strong></span>,
 	  <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
 	  <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
 	  a trust anchor that is to be maintained via RFC 5011.
 	</p>
 	<p>
 	  When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
 	  has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
 	  configuring a permanent trust anchor that will not automatically
 	  be updated.  (This usage is not recommended for the root key.)
 	  [GL #6]
 	</p>
      </li>
 <li class="listitem">
 	<p>
 	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
 	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
 	  should be included in the additional section of RPZ responses.
 	  [GL #865]
        </p>
-      </li></ul></div>
+      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
 	  The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
 	  no longer has any effect. DNSSEC responses are always enabled
 	  if signatures and other DNSSEC data are present. [GL #866]
 	</p>
-      </li></ul></div>
+      </li>
 <li class="listitem">
 	<p>
 	  The <span class="command"><strong>cleaning-interval</strong></span> option has been
 	  removed.  [GL !1731]
 	</p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
 	  <span class="command"><strong>named</strong></span> will now log a warning if
 	  a static key is configured for the root zone, or if
 	  any key is configured for "dlv.isc.org", which has been shut
 	  down. [GL #6]
 	</p>
      </li>
 <li class="listitem">
 	<p>
-	  When <span class="command"><strong>trusted-keys</strong></span> and
+	  When static and managed DNSSEC keys were both configured for the
-	  <span class="command"><strong>managed-keys</strong></span> were both configured for the
+	  same name, or when a static key was used to
 	  same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
 	  configure a trust anchor for the root zone and
 	  <span class="command"><strong>dnssec-validation</strong></span> was set to the default
 	  value of <code class="literal">auto</code>, automatic RFC 5011 key
@ -169,13 +216,26 @@
 	  <span class="command"><strong>dnssec-checkds</strong></span>.
 	</p>
      </li>
 <li class="listitem">
 	<p>
 	  JSON-C is now the only supported library for enabling JSON
 	  support for BIND statistics. The <span class="command"><strong>configure</strong></span>
 	  option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
 	  to <span class="command"><strong>--with-json-c</strong></span>.  Use
 	  <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
 	  the <span class="command"><strong>json-c</strong></span> library as the new
 	  <span class="command"><strong>configure</strong></span> option does not take the library
 	  installation path as an optional argument.
 	</p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
        <p>
 	  The <span class="command"><strong>allow-update</strong></span> and
 	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
@ -184,14 +244,26 @@
 	  This has now been corrected.
 	  [GL #913]
 	</p>
-      </li></ul></div>
+      </li>
 <li class="listitem">
        <p>
 	  When <span class="command"><strong>qname-minimization</strong></span> was set to
          <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
          would fail to resolve, but would have succeeded when minimization
          was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
          resolution in such cases, and also uses type A rather than NS for
          minimal queries in order to reduce the likelihood of encountering
          the problem. [GL #1055]
 	</p>
      </li>
 </ul></div>
  </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
    <p>
-      BIND is open source software licenced under the terms of the Mozilla
+      BIND is open source software licensed under the terms of the Mozilla
      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
      file for the full text).
    </p>
--- a/doc/arm/notes.pdf
+++ b/doc/arm/notes.pdf
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.15.0
+Release Notes for BIND Version 9.15.1
 Introduction
@ -57,10 +57,27 @@ Security Fixes
  * The TCP client quota set using the tcp-clients option could be
    exceeded in some cases. This could lead to exhaustion of file
-    descriptors. (CVE-2018-5743) [GL #615]
+    descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
  * A race condition could trigger an assertion failure when a large
    number of incoming packets were being rejected. This flaw is disclosed
    in CVE-2019-6471. [GL #942]
 New Features
  * In order to clarify the configuration of DNSSEC keys, the trusted-keys
    and managed-keys statements have been deprecated, and the new
    dnssec-keys statement should now be used for both types of key.
    When used with the keyword initial-key, dnssec-keys has the same
    behavior as managed-keys, i.e., it configures a trust anchor that is
    to be maintained via RFC 5011.
    When used with the new keyword static-key, it has the same behavior as
    trusted-keys, configuring a permanent trust anchor that will not
    automatically be updated. (This usage is not recommended for the root
    key.) [GL #6]
  * The new add-soa option specifies whether or not the response-policy
    zone's SOA record should be included in the additional section of RPZ
    responses. [GL #865]
@ -71,10 +88,16 @@ Removed Features
    effect. DNSSEC responses are always enabled if signatures and other
    DNSSEC data are present. [GL #866]
  * The cleaning-interval option has been removed. [GL !1731]
 Feature Changes
-  * When trusted-keys and managed-keys were both configured for the same
+  * named will now log a warning if a static key is configured for the
-    name, or when trusted-keys was used to configure a trust anchor for
+    root zone, or if any key is configured for "dlv.isc.org", which has
    been shut down. [GL #6]
  * When static and managed DNSSEC keys were both configured for the same
    name, or when a static key was used to configure a trust anchor for
    the root zone and dnssec-validation was set to the default value of
    auto, automatic RFC 5011 key rollovers would be disabled. This
    combination of settings was never intended to work, but there was no
@ -89,15 +112,28 @@ Feature Changes
    "sync" timing parameters in key files, and the checks performed by
    dnssec-checkds.
  * JSON-C is now the only supported library for enabling JSON support for
    BIND statistics. The configure option has been renamed from
    --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a
    custom path to the json-c library as the new configure option does not
    take the library installation path as an optional argument.
 Bug Fixes
  * The allow-update and allow-update-forwarding options were
    inadvertently treated as configuration errors when used at the options
    or view level. This has now been corrected. [GL #913]
  * When qname-minimization was set to relaxed, some improperly configured
    domains would fail to resolve, but would have succeeded when
    minimization was disabled. named will now fall back to normal
    resolution in such cases, and also uses type A rather than NS for
    minimal queries in order to reduce the likelihood of encountering the
    problem. [GL #1055]
 License
-BIND is open source software licenced under the terms of the Mozilla
+BIND is open source software licensed under the terms of the Mozilla
 Public License, version 2.0 (see the LICENSE file for the full text).
 The license requires that if you make changes to BIND and distribute them
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -113,6 +113,28 @@
  <section xml:id="relnotes_features"><info><title>New Features</title></info>
    <itemizedlist>
      <listitem>
 	<para>
 	  In order to clarify the configuration of DNSSEC keys,
 	  the <command>trusted-keys</command> and
 	  <command>managed-keys</command> statements have been
 	  deprecated, and the new <command>dnssec-keys</command>
 	  statement should now be used for both types of key.
 	</para>
 	<para>
 	  When used with the keyword <command>initial-key</command>,
 	  <command>dnssec-keys</command> has the same behavior as
 	  <command>managed-keys</command>, i.e., it configures
 	  a trust anchor that is to be maintained via RFC 5011.
 	</para>
 	<para>
 	  When used with the new keyword <command>static-key</command>, it
 	  has the same behavior as <command>trusted-keys</command>,
 	  configuring a permanent trust anchor that will not automatically
 	  be updated.  (This usage is not recommended for the root key.)
 	  [GL #6]
 	</para>
      </listitem>
      <listitem>
 	<para>
 	  The new <command>add-soa</command> option specifies whether
@ -144,19 +166,6 @@
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
    <itemizedlist>
      <listitem>
 	<para>
 	  The new <command>dnssec-keys</command> statement can now be
 	  used to configure all DNSSEC trust anchors.  The older
 	  <command>managed-keys</command> statement is a synonym for
 	  <command>dnssec-keys</command>, retained for backward
 	  compatibility. Both statements can now use the
 	  keyword <command>static-key</command> in place of
 	  <command>initial-key</command> if it is necessary to
 	  configure trusted keys for which RFC 5011 trust anchor
 	  maintenance is not to be used. [GL #6]
 	</para>
      </listitem>
      <listitem>
 	<para>
 	  <command>named</command> will now log a warning if
@ -208,33 +217,6 @@
    </itemizedlist>
  </section>
  <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
    <itemizedlist>
      <listitem>
 	<para>
 	  In order to clarify the configuration of DNSSEC keys,
 	  the <command>trusted-keys</command> and
 	  <command>managed-keys</command> statement has been
 	  deprecated.  The new <command>dnssec-keys</command> should
 	  be used for both types of keys.
 	</para>
 	<para>
 	  When used with the keyword <command>initial-key</command>,
 	  <command>dnssec-keys</command> has the same behavior as
 	  <command>managed-keys</command>, i.e., it configures
 	  a trust anchor that is to be maintained via RFC 5011.
 	</para>
 	<para>
 	  When used with the new keyword <command>static-key</command>, it
 	  has the same behavior as <command>trusted-keys</command>,
 	  configuring a permanent trust anchor that will not automatically
 	  be updated.  This usage is not recommended for the root key.
 	  [GL #6]
 	</para>
      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
    <itemizedlist>
      <listitem>
@ -247,6 +229,17 @@
 	  [GL #913]
 	</para>
      </listitem>
      <listitem>
        <para>
 	  When <command>qname-minimization</command> was set to
          <command>relaxed</command>, some improperly configured domains
          would fail to resolve, but would have succeeded when minimization
          was disabled. <command>named</command> will now fall back to normal
          resolution in such cases, and also uses type A rather than NS for
          minimal queries in order to reduce the likelihood of encountering
          the problem. [GL #1055]
 	</para>
      </listitem>
    </itemizedlist>
  </section>
--- a/doc/misc/options
+++ b/doc/misc/options
@ -51,9 +51,10 @@ logging {
 lwres { <unspecified-text> }; // obsolete, may occur multiple times
-managed-keys { <string> ( static-key |
+managed-keys { <string> ( static-key
-    initial-key ) <integer> <integer> <integer>
+    | initial-key ) <integer>
-    <quoted_string>; ... }; // may occur multiple times
+    <integer> <integer>
    <quoted_string>; ... }; // may occur multiple times, deprecated
 masters <string> [ port <integer> ] [ dscp
    <integer> ] { ( <masters> | <ipv4_address> [
@ -110,7 +111,7 @@ options {
        check-spf ( warn | ignore );
        check-srv-cname ( fail | warn | ignore );
        check-wildcard <boolean>;
-        cleaning-interval <integer>;
+        cleaning-interval <integer>; // obsolete
        clients-per-query <integer>;
        cookie-algorithm ( aes | sha1 | sha256 );
        cookie-secret <string>; // may occur multiple times
@ -212,7 +213,7 @@ options {
        listen-on-v6 [ port <integer> ] [ dscp
            <integer> ] {
            <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
        lock-file ( <quoted_string> | none );
        maintain-ixfr-base <boolean>; // ancient
        managed-keys-directory <quoted_string>;
@ -487,7 +488,7 @@ view <string> [ <class> ] {
        check-spf ( warn | ignore );
        check-srv-cname ( fail | warn | ignore );
        check-wildcard <boolean>;
-        cleaning-interval <integer>;
+        cleaning-interval <integer>; // obsolete
        clients-per-query <integer>;
        deny-answer-addresses { <address_match_element>; ... } [
            except-from { <string>; ... } ];
@ -562,11 +563,13 @@ view <string> [ <class> ] {
        }; // may occur multiple times
        key-directory <quoted_string>;
        lame-ttl <ttlval>;
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
        maintain-ixfr-base <boolean>; // ancient
-        managed-keys { <string> ( static-key |
+        managed-keys { <string> (
-            initial-key ) <integer> <integer>
+            static-key | initial-key
-            <integer> <quoted_string>; ... }; // may occur multiple times
+            ) <integer> <integer>
            <integer>
            <quoted_string>; ... }; // may occur multiple times, deprecated
        masterfile-format ( map | raw | text );
        masterfile-style ( full | relative );
        match-clients { <address_match_element>; ... };
--- a/lib/dns/api
+++ b/lib/dns/api
@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1500
+LIBINTERFACE = 1501
 LIBREVISION = 0
 LIBAGE = 0
--- a/lib/irs/api
+++ b/lib/irs/api
@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1500
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
--- a/lib/isc/api
+++ b/lib/isc/api
@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1500
+LIBINTERFACE = 1501
 LIBREVISION = 0
 LIBAGE = 0
--- a/lib/ns/api
+++ b/lib/ns/api
@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1500
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
--- a/2
+++ b/2
@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=15
-PATCHVER=0
+PATCHVER=1
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=