diff --git a/doc/misc/dnssec b/doc/misc/dnssec
index 29cabe32c9..949c44d822 100644
--- a/doc/misc/dnssec
+++ b/doc/misc/dnssec
@@ -32,8 +32,8 @@ supported.  Responses indicating the nonexistence of a name include a
 NXT record proving the nonexistence of the name itself, but do not
 include any NXT records to prove the nonexistence of a matching
 wildcard record.  Positive responses resulting from wildcard expansion
-do not include the NXT records to prove the nonexistence of a more
-specific wildcard match.
+do not include the NXT records to prove the nonexistence of a
+non-wildcard match or a more specific wildcard match.
 
 
 Secure resolution
@@ -44,7 +44,8 @@ been implemented but should still be considered experimental.
 When acting as a caching name server, BIND9 is capable of performing
 basic DNSSEC validation of positive as well as nonexistence responses.
 This functionality is enabled by including a "trusted-keys" clause
-in the configuration file.
+in the configuration file, containing the top-level zone key of the
+the DNSSEC tree.
 
 Validation of wildcard responses is not currently supported.  In
 particular, a "name does not exist" response will validate
@@ -53,10 +54,19 @@ nonexistence of a matching wildcard.
 
 Proof of insecure status for insecure zones delegated from secure
 zones has been partially implemented but should not yet be expected to
-work.
+work in all cases.
 
 Handling of the CD bit in queries is not yet fully implemented;
 validation is currently attempted for all recursive queries, even if
 CD is set.
 
-$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $
+
+Secure dynamic update
+
+Dynamic update of secure zones has been implemented, but may not be
+complete.  Affected NXT and SIG records are updated by the server when
+an update occurs.  Advanced access control is possible using the
+"update-policy" statement in the zone definition.
+
+
+$Id: dnssec,v 1.2 2000/05/23 16:41:25 gson Exp $