diff --git a/CHANGES b/CHANGES
index c00bb8357f..b98b9f2d5f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3198.	[doc]		Clarified that dnssec-settime can alter keyfile
+			permissions. [RT #24866]
+
 3197.	[bug]		Don't try to log the filename and line number when 
 			the config parser can't open a file. [RT #22263]
 
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index e69a48f957..bc6870b132 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-settime.docbook,v 1.14 2011/03/21 15:56:35 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.15 2011/11/03 20:21:37 each Exp $ -->
 <refentry id="man.dnssec-settime">
   <refentryinfo>
     <date>July 15, 2009</date>
@@ -83,7 +83,8 @@
       <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
       Metadata fields are stored in the private file.  A human-readable
       description of the metadata is also placed in comments in the key
-      file.
+      file.  The private file's permissions are always set to be
+      inaccessible to anyone other than the owner (mode 0600).
     </para>
   </refsect1>