diff --git a/CHANGES b/CHANGES
index 9ce4d661f4..c230e593d0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
+
 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 
 5183.	[bug]		Reinitialize ECS data before reusing client
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index a56ded92b9..8d157adb54 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -571,10 +571,12 @@
       key.
     </para>
     <para>
-      The <filename>.key</filename> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
+      The <filename>.key</filename> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <command>named</command>
+      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
+      records are included automatically. In other cases,
+      the <filename>.key</filename> file can be inserted into a zone file
+      manually or with a <userinput>$INCLUDE</userinput> statement.
     </para>
     <para>
       The <filename>.private</filename> file contains
@@ -582,11 +584,6 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </para>
-    <para>
-      Both <filename>.key</filename> and <filename>.private</filename>
-      files are generated for symmetric cryptography algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </para>
   </refsection>
 
   <refsection><info><title>EXAMPLE</title></info>