diff --git a/doc/misc/dnssec b/doc/misc/dnssec
index 9d88f30ad1..8f33c98f68 100644
--- a/doc/misc/dnssec
+++ b/doc/misc/dnssec
@@ -49,8 +49,10 @@ successfully even if it does not contain the NXT records to prove the
 nonexistence of a matching wildcard.
 
 Proof of insecure status for insecure zones delegated from secure
-zones has been partially implemented but should not yet be expected to
-work in all cases.
+zones works when the zones are completely insecure.  Privately
+secured zones delegated from secure zones will not work in all cases,
+such as when the privately secured zone is served by the same server
+as an ancestor (but not parent) zone.
 
 Handling of the CD bit in queries is not yet fully implemented;
 validation is currently attempted for all recursive queries, even if
@@ -65,4 +67,4 @@ an update occurs.  Advanced access control is possible using the
 "update-policy" statement in the zone definition.
 
 
-$Id: dnssec,v 1.5 2000/06/27 21:45:52 bwelling Exp $
+$Id: dnssec,v 1.6 2000/07/14 00:03:54 bwelling Exp $