diff --git a/CHANGES b/CHANGES
index 3b644850e9..8e0575b08e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,10 +39,8 @@
 			[RT #46340]
 
 4785.	[func]		The hmac-md5 algorithm is no longer recommended for
-			use with RNDC keys. For compatibility reasons, it
-			it is still the default algorithm in rndc-confgen,
-			but this will be changed to hmac-sha256 in a future
-			release. [RT #42272]
+			use with RNDC keys.  The default in rndc-confgen
+			is now hmac-sha256. [RT #42272]
 
 4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
 			deprecated in favor of tsig-keygen.  dnssec-keygen
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index b96468f05a..4745037167 100644
--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -6,8 +6,6 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-/* $Id: rndc-confgen.c,v 1.7 2011/03/12 04:59:46 tbox Exp $ */
-
 /*! \file */
 
 /**
@@ -67,23 +65,6 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(int status) {
 
-#ifndef PK11_MD5_DISABLE
-	fprintf(stderr, "\
-Usage:\n\
- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
-[-s addr] [-t chrootdir] [-u user]\n\
-  -a:		 generate just the key clause and write it to keyfile (%s)\n\
-  -A alg:	 algorithm (default hmac-md5 (deprecated and will change))\n\
-  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
-  -c keyfile:	 specify an alternate key file (requires -a)\n\
-  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
-  -p port:	 the port named will listen on and rndc will connect to\n\
-  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-  -s addr:	 the address to which rndc should connect\n\
-  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
-  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
-		 progname, keydef);
-#else
 	fprintf(stderr, "\
 Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
@@ -99,7 +80,6 @@ Usage:\n\
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
 		 progname, keydef);
-#endif
 
 	exit (status);
 }
@@ -115,7 +95,6 @@ main(int argc, char **argv) {
 	const char *randomfile = NULL;
 	const char *serveraddr = NULL;
 	dns_secalg_t alg;
-	isc_boolean_t algset = ISC_FALSE;
 	const char *algname;
 	char *p;
 	int ch;
@@ -136,11 +115,7 @@ main(int argc, char **argv) {
 	progname = program;
 
 	keyname = DEFAULT_KEYNAME;
-#ifndef PK11_MD5_DISABLE
-	alg = DST_ALG_HMACMD5;
-#else
 	alg = DST_ALG_HMACSHA256;
-#endif
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;
 
@@ -154,7 +129,6 @@ main(int argc, char **argv) {
 			keyonly = ISC_TRUE;
 			break;
 		case 'A':
-			algset = ISC_TRUE;
 			algname = isc_commandline_argument;
 			alg = alg_fromtext(algname);
 			if (alg == DST_ALG_UNKNOWN)
@@ -228,17 +202,9 @@ main(int argc, char **argv) {
 		usage(1);
 
 	if (alg == DST_ALG_HMACMD5) {
-		if (algset) {
-			fprintf(stderr,
-				"warning: use of hmac-md5 for RNDC keys "
-				"is deprecated; hmac-sha256 is now "
-				"recommended.\n");
-		} else {
-			fprintf(stderr,
-				"warning: the default algorithm hmac-md5 "
-				"is deprecated and will be\n"
-				"changed to hmac-sha256 in a future release\n");
-		}
+		fprintf(stderr,
+			"warning: use of hmac-md5 for RNDC keys "
+			"is deprecated; hmac-sha256 is now recommended.\n");
 	}
 
 	if (keysize < 0)
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
index 23f2ca7c17..4ae039fed2 100644
--- a/bin/confgen/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -129,12 +129,7 @@
           <para>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5, or
-            if MD5 was disabled at compile time, hmac-sha256.
-          </para>
-          <para>
-            Note: Use of hmac-md5 is no longer recommended, and the default
-            value will be changed to hmac-sha256 in a future release.
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
           </para>
         </listitem>
       </varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 8997a269ed..a7ce6ed018 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -500,11 +500,9 @@
       <listitem>
 	<para>
 	  The use of HMAC-MD5 for RNDC keys is no longer recommended.
-	  For compatibility, this is still the default algorithm generated
-	  by <command>rndc-confgen</command>, but it will print a
-	  warning message. The default algorithm in
-	  <command>rndc-confgen</command> will be changed to HMAC-SHA256
-	  in a future release. [RT #42272]
+	  The default algorithm generated by <command>rndc-confgen</command>,
+	  is now HMAC-256, and a warning message will be printed if
+	  HMAC-MD5 is used. [RT #42272]
 	</para>
       </listitem>
       <listitem>