Document new requirements for 'dnssec-validation yes'

Using the 'dnssec-validation yes' option now requires an explicitly
confgiured 'trust-anchors' statement (or 'managed-keys' or
'trusted-keys', both deprecated).

doc/arm/reference.rst

@@ -2577,7 +2577,10 @@ Boolean Options
    If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be
    manually configured using a :any:`trust-anchors` statement (or the
    :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
-   there is no configured trust anchor, validation does not take place.
+   :any:`trust-anchors` is not configured, it is a configuration error. If
+   :any:`trust-anchors` does not include a valid root key, then validation does
+   not take place for names which are not covered by any of the configured trust
+   anchors.
 
    If set to ``no``, DNSSEC validation is disabled. (Note: the resolver
    will still set the DO bit in outgoing queries indicating that it can

doc/dnssec-guide/validation.rst

@@ -405,6 +405,10 @@ When set to *auto*, BIND automatically keeps the keys (also known as
 trust anchors, discussed in :ref:`trust_anchors_description`)
 up-to-date without intervention from the DNS administrator.
 
+When using *yes*, please note that if :any:`trust-anchors` does not include a
+valid root key, then validation does not take place for names which are not
+covered by any of the configured trust anchors.
+
 We recommend using the default *auto* unless there is a good reason to
 require a manual trust anchor. To learn more about trust anchors,
 please refer to :ref:`trusted_keys_and_managed_keys`.