diff --git a/bin/dnssec/dnssec-cds.8 b/bin/dnssec/dnssec-cds.8
index a3e3e5f288..2eaa5318e8 100644
--- a/bin/dnssec/dnssec-cds.8
+++ b/bin/dnssec/dnssec-cds.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -44,7 +44,8 @@ dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
 .PP
 The
 \fBdnssec\-cds\fR
-command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&.
+command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
+\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
 .PP
 Two input files are required\&. The
 \fB\-f \fR\fB\fIchild\-file\fR\fR
@@ -57,6 +58,10 @@ file generated by
 \fBdnssec\-dsfromkey\fR, or the output of a previous run of
 \fBdnssec\-cds\fR\&.
 .PP
+The
+\fBdnssec\-cds\fR
+command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typicially be the pre\-existing key\-signing key (KSK)\&.
+.PP
 For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
 \fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
 dsset\-
@@ -288,5 +293,5 @@ RFC 7344\&.
 .RE
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bin/dnssec/dnssec-cds.html b/bin/dnssec/dnssec-cds.html
index 6d032ed286..c4639d1bcb 100644
--- a/bin/dnssec/dnssec-cds.html
+++ b/bin/dnssec/dnssec-cds.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -55,7 +55,11 @@
       The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
       a delegation point based on CDS or CDNSKEY records published in
       the child zone. If both CDS and CDNSKEY records are present in
-      the child zone, the CDS is preferred.
+      the child zone, the CDS is preferred. This enables a child zone
+      to inform its parent of upcoming changes to its key-signing keys;
+      by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
+      parent can keep the DS records up to date and enable automatic
+      rolling of KSKs.
     </p>
     <p>
       Two input files are required.  The
@@ -70,6 +74,13 @@
       <span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
       run of <span class="command"><strong>dnssec-cds</strong></span>.
     </p>
+    <p>
+      The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
+      validation logic specified by RFC 7344. It requires that the CDS
+      and/or CDNSKEY records are validly signed by a key represented in the
+      existing DS records. This will typicially be the pre-existing
+      key-signing key (KSK).
+    </p>
     <p>
       For protection against replay attacks, the signatures on the
       child records must not be older than they were on a previous run
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index bbbda779de..9c71dd9451 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -73,7 +73,11 @@
       The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
       a delegation point based on CDS or CDNSKEY records published in
       the child zone. If both CDS and CDNSKEY records are present in
-      the child zone, the CDS is preferred.
+      the child zone, the CDS is preferred. This enables a child zone
+      to inform its parent of upcoming changes to its key-signing keys;
+      by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
+      parent can keep the DS records up to date and enable automatic
+      rolling of KSKs.
     </p>
     <p>
       Two input files are required.  The
@@ -88,6 +92,13 @@
       <span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
       run of <span class="command"><strong>dnssec-cds</strong></span>.
     </p>
+    <p>
+      The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
+      validation logic specified by RFC 7344. It requires that the CDS
+      and/or CDNSKEY records are validly signed by a key represented in the
+      existing DS records. This will typicially be the pre-existing
+      key-signing key (KSK).
+    </p>
     <p>
       For protection against replay attacks, the signatures on the
       child records must not be older than they were on a previous run