diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index f86e418b74..672bc78b4e 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -156,7 +156,7 @@ logging {
 
 
   <refsection><info><title>MANAGED-KEYS</title></info>
-  <para>See DNSSEC-KEYS.</para>
+  <para>Deprecated - see DNSSEC-KEYS.</para>
     <literallayout class="normal">
 managed-keys { <replaceable>string</replaceable> ( static-key |
     initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@@ -652,7 +652,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	lmdb-mapsize <replaceable>sizeval</replaceable>;
 	managed-keys { <replaceable>string</replaceable> ( static-key |
 	    initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-	    <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
+	    <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };, deprecated
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
 	match-clients { <replaceable>address_match_element</replaceable>; ... };
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 4ee0b7a80d..acc14ac2cd 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -772,9 +772,8 @@
 	<listitem>
 	  <para>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <command>dnssec-keys</command> statements,
-	    or the synonymous <command>managed-keys</command> or
-	    the deprecated <command>trusted-keys</command> statements, or
+	    configured via <command>dnssec-keys</command> statements, or the
+	    managed-keys or trusted-keys statements (both deprecated), or
 	    via <command>dnssec-validation auto</command>) and negative trust
 	    anchors for the specified views.  If no view is specified, all
 	    views are dumped.  Security roots will indicate whether
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index e300267c0c..cd75915bd0 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2213,8 +2213,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  if at least one trust anchor has been explicitly configured
 	  in <filename>named.conf</filename>
 	  using a <command>dnssec-keys</command> statement (or the
-	  synonymous <command>managed-keys</command> or the deprecated
-	  <command>trusted-keys</command> statements).
+	  <command>managed-keys</command> and <command>trusted-keys</command>
+	  statements, both deprecated).
 	</para>
 	<para>
 	  When <command>dnssec-validation</command> is set to
@@ -3209,8 +3209,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		  keys are kept up to date using RFC 5011
 		  trust anchor maintenance, and if used with
 		  <command>static-key</command>, keys are permanent.
-		  Identical to <command>managed-keys</command>,
-		  but has been added for improved clarity.
 		</para>
 	      </entry>
 	    </row>
@@ -3220,8 +3218,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  is identical to <command>dnssec-keys</command>,
-		  and is retained for backward compatibility.
+		  is identical to <command>dnssec-keys</command>;
+		  this option is deprecated in favor
+		  of <command>dnssec-keys</command> with
+		  the <command>initial-key</command> keyword,
+		  and may be removed in a future release.
 		</para>
 	      </entry>
 	    </row>
@@ -5054,10 +5055,11 @@ options {
 		as insecure.
 	      </para>
 	      <para>
-		Configured trust anchors in <command>trusted-keys</command>
-		or <command>managed-keys</command> that match a disabled
-		algorithm will be ignored and treated as if they were not
-		configured at all.
+		Configured trust anchors in <command>dnssec-keys</command>
+		(or <command>managed-keys</command> or
+		<command>trusted-keys</command>, both deprecated)
+		that match a disabled algorithm will be ignored and treated
+		as if they were not configured at all.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -6435,8 +6437,8 @@ options {
 		  If set to <userinput>yes</userinput>, DNSSEC validation is
 		  enabled, but a trust anchor must be manually configured
 		  using a <command>dnssec-keys</command> statement (or
-		  the synonymous <command>managed-keys</command>, or the
-		  deprecated <command>trusted-keys</command> statements).
+		  the <command>managed-keys</command> or the
+		  <command>trusted-keys</command> statements, both deprecated).
 		  If there is no configured trust anchor, validation will
 		  not take place.
 		</para>
@@ -11015,9 +11017,9 @@ example.com                 CNAME   rpz-tcp-only.
 	    and Usage</title></info>
 
 	  <para>
-	    The <command>managed-keys</command> statement is
-	    identical to the <command>dnssec-keys</command>, and is
-	    retained for backward compatibility.
+	    The <command>managed-keys</command> statement has been
+	    deprecated in favor of <xref linkend="dnssec_keys"/>
+	    with the <command>initial-key</command> keyword.
 	  </para>
 	</section>
 
@@ -11030,7 +11032,7 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    The <command>trusted-keys</command> statement has been
 	    deprecated in favor of <xref linkend="dnssec_keys"/>
-	    with the <command>static</command> keyword.
+	    with the <command>static-key</command> keyword.
 	  </para>
 	</section>
 
@@ -11417,9 +11419,8 @@ view "external" {
 		        For validation to succeed, a key-signing key
 		        (KSK) for the zone must be configured as a trust
 		        anchor in <filename>named.conf</filename>: that
-		        is, a key for the zone must either be specified
-		        in <command>managed-keys</command> or
-		        <command>trusted-keys</command>.  In the case
+		        is, a key for the zone must be specified in
+		        <command>dnssec-keys</command>.  In the case
 		        of the root zone, you may also rely on the
 		        built-in root trust anchor, which is enabled
 			when <xref endterm="dnssec_validation_term"
diff --git a/doc/misc/dnssec b/doc/misc/dnssec
index 84db388f8b..9fe13ebd45 100644
--- a/doc/misc/dnssec
+++ b/doc/misc/dnssec
@@ -46,7 +46,7 @@ been implemented but should still be considered experimental.
 
 When acting as a caching name server, BIND9 is capable of performing
 basic DNSSEC validation of positive as well as nonexistence responses.
-This functionality is enabled by including a "trusted-keys" clause
+This functionality is enabled by including a "dnssec-keys" clause
 in the configuration file, containing the top-level zone key of the
 the DNSSEC tree.
 
diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl
index fdb9c39c14..e67213136d 100644
--- a/doc/misc/docbook-options.pl
+++ b/doc/misc/docbook-options.pl
@@ -148,7 +148,7 @@ END
 
                 if ($1 eq "managed-keys") {
                         print <<END;
-  <para>See DNSSEC-KEYS.</para>
+  <para>Deprecated - see DNSSEC-KEYS.</para>
 END
                 }
 
diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h
index 7e6f78d936..2922f753c1 100644
--- a/lib/irs/include/irs/dnsconf.h
+++ b/lib/irs/include/irs/dnsconf.h
@@ -17,7 +17,7 @@
  *
  * \brief
  * The IRS dnsconf module parses an "advanced" configuration file related to
- * the DNS library, such as trusted keys for DNSSEC validation, and creates
+ * the DNS library, such as trust anchors for DNSSEC validation, and creates
  * the corresponding configuration objects for the DNS library modules.
  *
  * Notes:
diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
index bbc9c6fdb4..03025fec89 100644
--- a/lib/isccfg/dnsconf.c
+++ b/lib/isccfg/dnsconf.c
@@ -43,7 +43,8 @@ static cfg_type_t cfg_type_trustedkeys = {
  */
 static cfg_clausedef_t
 dnsconf_clauses[] = {
-	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_trustedkeys,
+	  CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };