diff --git a/CHANGES b/CHANGES
index 612ac40df5..0fe450c0d2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,8 @@
+	--- 9.7.0b1 released ---
+
 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 			__isync() calls.
 
-	--- 9.7.0b1 released ---
-
 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 			to be fully automated in zones configured for
 			dynamic DNS.  'auto-dnssec allow;' permits a zone
diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
index 1c8a4aba11..58a94f2011 100644
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -1,6 +1,6 @@
 #define TRUSTED_KEYS "\
 trusted-keys {\n\
-        # NOTE: This key is current as of September 2009.\n\
+        # NOTE: This key is current as of October 2009.\n\
         # If it fails to initialize correctly, it may have expired;\n\
         # see https://www.isc.org/solutions/dlv for a replacement.\n\
 	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
@@ -9,7 +9,7 @@ trusted-keys {\n\
 
 #define MANAGED_KEYS "\
 managed-keys {\n\
-        # NOTE: This key is current as of September 2009.\n\
+        # NOTE: This key is current as of October 2009.\n\
         # If it fails to initialize correctly, it may have expired;\n\
         # see https://www.isc.org/solutions/dlv for a replacement.\n\
 	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index a570654e15..c81cab9838 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.42 2009/10/10 01:47:59 each Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -132,6 +132,15 @@ trusted-keys {
 </literallayout>
   </refsect1>
 
+  <refsect1>
+    <title>MANAGED-KEYS</title>
+    <literallayout>
+managed-keys {
+	<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
+};
+</literallayout>
+  </refsect1>
+
   <refsect1>
     <title>CONTROLS</title>
     <literallayout>
@@ -273,6 +282,7 @@ options {
 	dnssec-enable <replaceable>boolean</replaceable>;
 	dnssec-validation <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 
@@ -339,10 +349,17 @@ options {
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 	secure-to-insecure <replaceable>boolean</replaceable>;
+	deny-answer-addresses {
+		<replaceable>address_match_list</replaceable>
+	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
+	deny-answer-aliases {
+		<replaceable>namelist</replaceable>
+	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
 
 	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only
 
@@ -384,7 +401,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	};
 
 	trusted-keys {
-		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
+		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
+		<optional>...</optional>
 	};
 
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
@@ -545,13 +563,14 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-policy {
+	update-policy <replaceable>local</replaceable> | <replaceable> {
 		( grant | deny ) <replaceable>string</replaceable>
 		( name | subdomain | wildcard | self | selfsub | selfwild |
                   krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-		  tcp-self | 6to4-self ) <replaceable>string</replaceable>
-		<replaceable>rrtypelist</replaceable>; ...
-	};
+		  tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
+		<replaceable>rrtypelist</replaceable>;
+		<optional>...</optional>
+	}</replaceable>;
 	update-check-ksk <replaceable>boolean</replaceable>;
 	dnskey-ksk-only <replaceable>boolean</replaceable>;
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index ab234b498b..31afb2811d 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.40 2009/08/26 21:34:44 jreed Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.41 2009/10/16 02:59:41 each Exp $ -->
 <refentry id="man.nsupdate">
   <refentryinfo>
     <date>Aug 25, 2009</date>
@@ -76,7 +76,7 @@
   <refsect1>
     <title>DESCRIPTION</title>
     <para><command>nsupdate</command>
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -118,8 +118,8 @@
     <para>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       <command>nsupdate</command> and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -136,7 +136,12 @@
       record in a zone served by the name server.
       <command>nsupdate</command> does not read
       <filename>/etc/named.conf</filename>.
-      GSS-TSIG uses Kerberos credentials.
+    </para>
+    <para>
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the <option>-g</option> flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the <option>-o</option> flag.
     </para>
     <para><command>nsupdate</command>
       uses the <option>-y</option> or <option>-k</option> option
@@ -629,9 +634,9 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </para>
   </refsect1>
@@ -687,27 +692,14 @@
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>RFC2136</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC3007</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2104</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2845</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC1034</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2535</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2931</refentrytitle>
-      </citerefentry>,
+    <para>
+      <citetitle>RFC 2136</citetitle>,
+      <citetitle>RFC 3007</citetitle>,
+      <citetitle>RFC 2104</citetitle>,
+      <citetitle>RFC 2845</citetitle>,
+      <citetitle>RFC 1034</citetitle>,
+      <citetitle>RFC 2535</citetitle>,
+      <citetitle>RFC 2931</citetitle>,
       <citerefentry>
         <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
@@ -718,8 +710,8 @@
         <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>.
     </para>
-
   </refsect1>
+
   <refsect1>
     <title>BUGS</title>
     <para>
diff --git a/bind.keys b/bind.keys
index 511dff4f01..1b5cab17f5 100644
--- a/bind.keys
+++ b/bind.keys
@@ -1,5 +1,5 @@
 managed-keys {
-        # NOTE: This key is current as of September 2009.
+        # NOTE: This key is current as of October 2009.
         # If it fails to initialize correctly, it may have expired;
         # see https://www.isc.org/solutions/dlv for a replacement.
 	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f12dd94c4f..c92446a270 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.436 2009/10/14 12:49:11 jreed Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.437 2009/10/16 02:59:41 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -5509,24 +5509,42 @@ options {
 		validator with an alternate method to validate DNSKEY
 		records at the top of a zone.  When a DNSKEY is at or
 		below a domain specified by the deepest
-		<command>dnssec-lookaside</command>, and the normal dnssec
+		<command>dnssec-lookaside</command>, and the normal DNSSEC
 		validation has left the key untrusted, the trust-anchor
-		will be append to the key name and a DLV record will be
+		will be appended to the key name and a DLV record will be
 		looked up to see if it can validate the key.  If the DLV
-		record validates a DNSKEY (similarly to the way a DS record
-		does) the DNSKEY RRset is deemed to be trusted.
+		record validates a DNSKEY (similarly to the way a DS
+                record does) the DNSKEY RRset is deemed to be trusted.
 	      </para>
 	      <para>
 		If <command>dnssec-lookaside</command> is set to
 		<userinput>auto</userinput>, then built-in default
-		values for the domain and trust anchor will be
+		values for the DLV domain and trust anchor will be
 		used, along with a built-in key for validation.
 	      </para>
-	      <para>
-		NOTE: Since the built-in key may expire, it can be
-		overridden without recompiling <command>named</command>
-		by placing a new key in the file
-		<filename>bind.keys</filename>.
+              <para>
+                The default DLV key is stored in the file
+                <filename>bind.keys</filename>, which
+                <command>named</command> loads at startup if
+                <command>dnssec-lookaside</command> is set to
+                <constant>auto</constant>.  A copy of that file is
+                installed along with <acronym>BIND</acronym> 9, and is
+                current as of the release date.  If the DLV key expires, a
+                new copy of <filename>bind.keys</filename> can be downloaded
+                from <ulink>https://www.isc.org/solutions/dlv</ulink>.
+              </para>
+              <para>
+                (To prevent problems if <filename>bind.keys</filename> is
+                not found, the current key is also compiled in to
+                <command>named</command>.  Relying on this is not
+                recommended, however, as it requires <command>named</command>
+                to be recompiled with a new key when the DLV key expires.)
+              </para>
+              <para>
+                NOTE: Using <filename>bind.keys</filename> to store
+                locally-configured keys is possible, but not
+                recommended, as the file will be overwritten whenever
+                <acronym>BIND</acronym> 9 is re-installed or upgraded.
               </para>
             </listitem>
           </varlistentry>
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 1b52ba32ea..d55d3ec378 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.104 2009/10/12 23:48:01 tbox Exp $
+ * $Id: dnssec.c,v 1.105 2009/10/16 02:59:41 each Exp $
  */
 
 /*! \file */
@@ -1256,15 +1256,15 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			continue;
+			goto again;
 
 		/* Corrupted .key file? */
 		if (!dns_name_equal(origin, dst_key_name(pubkey)))
-			continue;
+			goto again;
 
 		if (public) {
 			addkey(keylist, &pubkey, savekeys, mctx);
-			continue;
+			goto again;
 		}
 
 		result = dst_key_fromfile(dst_key_name(pubkey),
@@ -1274,20 +1274,20 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 					  directory, mctx, &privkey);
 		if (result == ISC_R_FILENOTFOUND) {
 			addkey(keylist, &pubkey, savekeys, mctx);
-			continue;
+			goto again;
 		}
 		RETERR(result);
 
-		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
-			/* We should never get here. */
-			dst_key_free(&pubkey);
-			dst_key_free(&privkey);
-			continue;
-		}
+		/* This should never happen. */
+		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto again;
 
 		addkey(keylist, &privkey, savekeys, mctx);
-
-		dst_key_free(&pubkey);
+ again:
+ 		if (pubkey != NULL)
+			dst_key_free(&pubkey);
+ 		if (privkey != NULL)
+			dst_key_free(&privkey);
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;