diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
index b0f7dee3e8..99515b492b 100644
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@@ -147,7 +147,7 @@ This ``custom`` policy, for example:
     rotated after one year and the ZSK after 60 days.
 
 Also:
-  - The configured keys also have a lifetime set and use the ECDSAP384SHA384
+  - The configured keys have a lifetime set and use the ECDSAP384SHA384
     algorithm.
   - The last line instructs BIND to generate NSEC3 records for
     :ref:`Proof of Non-Existence <advanced_discussions_proof_of_nonexistence>`,
diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index 5495be2658..1d19908323 100644
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -1149,7 +1149,7 @@ ZSK, and 257 is KSK.
 The name of the file also tells us something
 about the contents. See chapter :ref:`zone_keys` for more details.
 
-Make sure these files are readable by :iscman:`named` and make sure that the
+Make sure that these files are readable by :iscman:`named` and that the
 ``.private`` files are not readable by anyone else.
 
 Alternativelly, the :iscman:`dnssec-keyfromlabel` program is used to get a key
@@ -1429,7 +1429,7 @@ and the KSK file name. This also generates a plain-text file
 to provide the parent zone administrators with the ``DNSKEY`` records (or their
 corresponding ``DS`` records) that are the secure entry point to the zone.
 
-Finally, you'll need to update :iscman:`named.conf` to load the signed version
+Finally, :iscman:`named.conf` needs to be updated to load the signed version
 of the zone, which looks something like this:
 
 .. code-block:: none