From aac39647f30f39992e29e47f07ef1992db2e242e Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 26 Nov 2021 10:37:06 +0100
Subject: [PATCH 1/2] Update auto-dnssec documentation

Explain that 'auto-dnssec' may only be activated at zone level.
---
 doc/arm/reference.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index c7c180bf95..4fc6a5b55c 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2042,7 +2042,11 @@ Boolean Options
    periodically, regardless of whether ``rndc loadkeys`` is used. The
    recheck interval is defined by ``dnssec-loadkeys-interval``.
 
-   The default setting is ``auto-dnssec off``.
+   ``auto-dnssec off;`` does not allow for DNSSEC key management.
+   This is the default setting.
+
+   This option may only be activated at the zone level; if configured
+   at the view or options level, it must be set to ``off``.
 
 .. _dnssec-validation-option:
 

From 447fa2a8161a469064b2a709ee87ed14058ef7d4 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 26 Nov 2021 10:38:59 +0100
Subject: [PATCH 2/2] Add CHANGES for #3023

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 3e59eb84b3..d709e9b3aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5787.	[doc]		Update 'auto-dnssec' documentation, it may only be
+			activated at zone level. [GL #3023]
+
 5786.	[bug]		Defer detaching from zone->raw in zone_shutdown() if
 			the zone is in the process of being dumped to disk to
 			ensure that the unsigned serial number information is