diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 5949ec14bd..57931b9a6b 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2577,7 +2577,10 @@ Boolean Options
    If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be
    manually configured using a :any:`trust-anchors` statement (or the
    :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
-   there is no configured trust anchor, validation does not take place.
+   :any:`trust-anchors` is not configured, it is a configuration error. If
+   :any:`trust-anchors` does not include a valid root key, then validation does
+   not take place for names which are not covered by any of the configured trust
+   anchors.
 
    If set to ``no``, DNSSEC validation is disabled. (Note: the resolver
    will still set the DO bit in outgoing queries indicating that it can
diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst
index 33958bb2a0..8d069327fe 100644
--- a/doc/dnssec-guide/validation.rst
+++ b/doc/dnssec-guide/validation.rst
@@ -405,6 +405,10 @@ When set to *auto*, BIND automatically keeps the keys (also known as
 trust anchors, discussed in :ref:`trust_anchors_description`)
 up-to-date without intervention from the DNS administrator.
 
+When using *yes*, please note that if :any:`trust-anchors` does not include a
+valid root key, then validation does not take place for names which are not
+covered by any of the configured trust anchors.
+
 We recommend using the default *auto* unless there is a good reason to
 require a manual trust anchor. To learn more about trust anchors,
 please refer to :ref:`trusted_keys_and_managed_keys`.