diff --git a/CHANGES b/CHANGES
index 3e59eb84b3..d709e9b3aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5787.	[doc]		Update 'auto-dnssec' documentation, it may only be
+			activated at zone level. [GL #3023]
+
 5786.	[bug]		Defer detaching from zone->raw in zone_shutdown() if
 			the zone is in the process of being dumped to disk to
 			ensure that the unsigned serial number information is
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index c7c180bf95..4fc6a5b55c 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2042,7 +2042,11 @@ Boolean Options
    periodically, regardless of whether ``rndc loadkeys`` is used. The
    recheck interval is defined by ``dnssec-loadkeys-interval``.
 
-   The default setting is ``auto-dnssec off``.
+   ``auto-dnssec off;`` does not allow for DNSSEC key management.
+   This is the default setting.
+
+   This option may only be activated at the zone level; if configured
+   at the view or options level, it must be set to ``off``.
 
 .. _dnssec-validation-option: