diff --git a/CHANGES b/CHANGES
index 12d2fd6a94..9f211b6819 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+4957.	[func]		The default setting for "dnssec-validation" is now
+			"auto", which activates DNSSEC validation using the
+			IANA root key. (The default can be changed back to
+			"yes", which activates DNSSEC validation only when keys
+			are explicitly configured in named.conf, by building
+			BIND with "configure --disable-auto-validation".)
+			[GL #30]
+
 4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
 			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 30ca51b601..5032df3741 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -196,6 +196,17 @@
 	  resort. [GL #221]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The default setting for <command>dnssec-validation</command> is
+	  now <userinput>auto</userinput>, which activates DNSSEC
+	  validation using the IANA root key. (The default can be changed
+	  back to <userinput>yes</userinput>, which activates DNSSEC
+	  validation only when keys are explicitly configured in
+	  <filename>named.conf</filename>, by building BIND with
+	  <command>configure --disable-auto-validation</command>.) [GL #30]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  BIND can no longer be built without DNSSEC support. A cryptography