diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index ae89cc0856..2441f37389 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -12570,7 +12570,7 @@ example.com. NS ns2.example.net.
has been used to create a shared secret, the identity of
the key used to authenticate the TKEY exchange will be
used as the identity of the shared secret. Some rule types
- use indentities matching the client's Kerberos principal
+ use identities matching the client's Kerberos principal
(e.g, "host/machine@REALM") or
Windows realm (machine$@REALM).
@@ -12731,12 +12731,26 @@ example.com. NS ns2.example.net.
- This rule takes a Windows machine principal
- (machine$@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
- to update machine.realm. The REALM to be matched
- is specified in the identity
- field. The name field should be set to "."
+ When a client sends an UPDATE using a Windows
+ machine principal (for example, 'machine$@REALM'),
+ this rule allows records with the absolute name
+ of 'machine.REALM' to be updated.
+
+
+ The realm to be matched is specified in the
+ identity field.
+
+
+ The name field has
+ no effect on this rule; it should be set to "."
+ as a placeholder.
+
+
+ For example,
+ grant EXAMPLE.COM ms-self . A AAAA
+ allows any machine with a valid principal in
+ the realm EXAMPLE.COM to update
+ its own address records.
@@ -12747,13 +12761,32 @@ example.com. NS ns2.example.net.
- This rule takes a Windows machine principal
- (machine$@REALM) for machine in REALM and
- converts it to machine.realm allowing the machine
- to update subdomains of machine.realm. The REALM
- to be matched is specified in the
+ When a client sends an UPDATE using a Windows
+ machine principal (for example, 'machine$@REALM'),
+ this rule allows any machine in the specified
+ realm to update any record in the zone or in a
+ specified subdomain of the zone.
+
+
+ The realm to be matched is specified in the
identity field.
+
+ The name field
+ specifies the subdomain that may be updated.
+ If set to "." (or any other name at or above
+ the zone apex), any name in the zone can be
+ updated.
+
+
+ For example, if update-policy
+ for the zone "example.com" includes
+ grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA,
+ any machine with a valid principal in
+ the realm EXAMPLE.COM will
+ be able to update address records at or below
+ "hosts.example.com".
+
@@ -12763,12 +12796,32 @@ example.com. NS ns2.example.net.
- This rule takes a Kerberos machine principal
- (host/machine@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
- to update machine.realm. The REALM to be matched
- is specified in the identity
- field. The name field should be set to "."
+ When a client sends an UPDATE using a
+ Kerberos machine principal (for example,
+ 'host/machine@REALM'), this rule allows
+ records with the absolute name of 'machine'
+ to be updated provided it has been authenticated
+ by REALM. This is similar but not identical
+ to ms-self due to the
+ 'machine' part of the Kerberos principal
+ being an absolute name instead of a unqualified
+ name.
+
+
+ The realm to be matched is specified in the
+ identity field.
+
+
+ The name field has
+ no effect on this rule; it should be set to "."
+ as a placeholder.
+
+
+ For example,
+ grant EXAMPLE.COM krb5-self . A AAAA
+ allows any machine with a valid principal in
+ the realm EXAMPLE.COM to update
+ its own address records.
@@ -12779,13 +12832,11 @@ example.com. NS ns2.example.net.
- This rule takes a Kerberos machine principal
- (host/machine@REALM) for machine in REALM and
- converts it to machine.realm allowing the machine
- to update subdomains of machine.realm. The REALM
- to be matched is specified in the
- identity field. The
- name field should be set to "."
+ This rule is identical to
+ ms-subdomain, except that it works
+ with Kerberos machine principals (i.e.,
+ 'host/machine@REALM') rather than Windows machine
+ principals.