diff --git a/doc/design/keydone b/doc/design/keydone
new file mode 100644
index 0000000000..c76484c2bc
--- /dev/null
+++ b/doc/design/keydone
@@ -0,0 +1,29 @@
+
+        rndc keydone <rdata> zone [class [view]]
+
+        e.g.
+                rndc keydone 0549E00001 example
+
+        Last 4 characters need to be 0001 (00=no flags, 01=done)
+        First 2 characters (algorithm) not 00 (algorithm 0 which
+        is reserved, 00 => NSEC3PARAMETERS are encoded in the record)
+        All hexadecimal case insensitive.  length 10.
+                Err: DNS_R_SYNTAX
+
+        The control code will select the zone based on 'zone [class
+        [view]]'.
+                Err: DNS_R_NOTFOUND
+
+        zone must be a master (signed inline == master) or normal
+        dynamic zone.
+                Err: DNS_R_NOTMASTER
+
+        dns_zone_<something>(zone, text) which will send a event
+        to the zone so that the deletion gets run in the zone's
+        task.  The event handler will delete the record, update the
+        SOA and write out the journal.
+                Err: ISC_R_NOMEMORY
+
+        'zone' can refer to a normal dynamic master zone or a inline
+        zone.
+