diff --git a/CHANGES b/CHANGES
index b42cedc441..09b2629ec7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,13 +1,12 @@
-4724. [func] Added the --enable-crypto-rand configure flag
- (yes by default): when the random file (-r command
- line argument) is set to "openssl" the entropy/random
- source is the OpenSSL RAND routine. This is suitable
- for virtual machine environment without a hardware
- random generator but makes random generation not
- reproducible. Note with native PKCS#11 the
- entropy/random source will unconditionally be
- C_GenerateRandom() i.e. the PKCS#11 random API.
- [RT #31459]
+4724. [func] When the random device (i.e. the "random-device"
+ option in named.conf, or the -r command line option
+ in various tools) is set to "openssl", the OpenSSL
+ RAND routine is used as the source of entropy/
+ randomness. This is suitable for a virtual
+ machine environment without a hardware random
+ number generator. This behavior can be overridden
+ by using "configure --disable-crypto-rand" or
+ native PKCS#11. [RT #31459]
4723. [bug] Statistics counter DNSTAPdropped was misidentified
as DNSSECdropped. [RT #46002]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index c21ea3f13a..ea7049204f 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -363,6 +363,24 @@
"[ECS address/source/scope]".
+
+
+ When named is linked with OpenSSL, the
+ OpenSSL RAND routine can be used as the source of entropy/
+ randomness by specifying
+ random-device openssl; in
+ named.conf. It can also be used in tools
+ such as dnssec-keygen,
+ tsig-keygen,
+ and nsupdate by specifying
+ -r openssl on the command line.
+ This is suitable for a virtual machine environment without
+ a hardware random number generator.
+ This behavior can be overridden by using
+ configure --disable-crypto-rand or
+ building with native PKCS#11. [RT #31459]
+
+