diff --git a/CHANGES b/CHANGES
index de4307c506..9d82d6e8ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
+
 5188.	[func]		The "dnssec-enable" option is deprecated and no
 			longer has any effect; DNSSEC responses are
 			always enabled. [GL #866]
diff --git a/bind.keys b/bind.keys
index c468c972e6..37e92561c6 100644
--- a/bind.keys
+++ b/bind.keys
@@ -23,18 +23,6 @@
 # for current trust anchor information for the root zone.
 
 managed-keys {
-        # This key (19036) is to be phased out starting in 2017. It will
-        # remain in the root zone for some time after its successor key
-        # has been added. It will remain this file until it is removed from
-        # the root zone.
-        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
-                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
-                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
-                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
-                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
-                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
-                QxA+Uk1ihz0=";
-
         # This key (20326) was published in the root zone in 2017.
         # Servers which were already using the old key (19036) should
         # roll seamlessly to this new one via RFC 5011 rollover. Servers
diff --git a/bind.keys.h b/bind.keys.h
index 8e94793a95..59e4e925e8 100644
--- a/bind.keys.h
+++ b/bind.keys.h
@@ -26,18 +26,6 @@
 # for current trust anchor information for the root zone.\n\
 \n\
 trusted-keys {\n\
-        # This key (19036) is to be phased out starting in 2017. It will\n\
-        # remain in the root zone for some time after its successor key\n\
-        # has been added. It will remain this file until it is removed from\n\
-        # the root zone.\n\
-        . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
-                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
-                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
-                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
-                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
-                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
-                QxA+Uk1ihz0=\";\n\
-\n\
         # This key (20326) was published in the root zone in 2017.\n\
         # Servers which were already using the old key (19036) should\n\
         # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
@@ -81,18 +69,6 @@ trusted-keys {\n\
 # for current trust anchor information for the root zone.\n\
 \n\
 managed-keys {\n\
-        # This key (19036) is to be phased out starting in 2017. It will\n\
-        # remain in the root zone for some time after its successor key\n\
-        # has been added. It will remain this file until it is removed from\n\
-        # the root zone.\n\
-        . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
-                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
-                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
-                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
-                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
-                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
-                QxA+Uk1ihz0=\";\n\
-\n\
         # This key (20326) was published in the root zone in 2017.\n\
         # Servers which were already using the old key (19036) should\n\
         # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\