diff --git a/doc/configuration.texi b/doc/configuration.texi
index 4e635b7c2191691490ef4ad12c9189fdc2354890..7fe416ac3b494fbcaec84fc508d1db2a1677a0bd 100644
--- a/doc/configuration.texi
+++ b/doc/configuration.texi
@@ -331,7 +331,7 @@ Keys for all zones must be placed in one directory.
 
 @item
 Algorithms based on RSA, DSA, and ECDSA are supported, support for GOST
-algorithm not finished yet.
+algorithm is not finished yet.
 
 @item
 Only key activation and inactivation time stamps are utilized and defined
@@ -371,11 +371,11 @@ Currently the signing policy is set hard in the server:
 
 @subsection Zone signing
 
-The signing process consists of following steps:
+The signing process consists of the following steps:
 
 @itemize @bullet
 @item
-Fixing @code{NSEC} and @code{NSEC3} records. This is determined by
+Fixing @code{NSEC} or @code{NSEC3} records. This is determined by
 @code{NSEC3PARAM} record presence in unsigned zone.
 
 @item
diff --git a/doc/knot.texi b/doc/knot.texi
index 4398432fded0249335da471a418b001dbd6bdf7d..23c3a700b832257ee39c7f2e16f310b17a8ae9cf 100644
--- a/doc/knot.texi
+++ b/doc/knot.texi
@@ -40,6 +40,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 @title Knot DNS Reference Manual
 @subtitle for version @value{VERSION}, @value{UPDATED}
 @author Jan Kadlec (@email{jan.kadlec@@nic.cz})
+@author Daniel Salzman (@email{daniel.salzman@@nic.cz})
 @author Lubos Slovak (@email{lubos.slovak@@nic.cz})
 @author Ondrej Sury (@email{ondrej@@sury.org})
 @author Marek Vavrusa (@email{marek.vavrusa@@nic.cz})
diff --git a/doc/reference.texi b/doc/reference.texi
index 0a2e927629dd0b6d7272617828b00f7dbd8313c3..f305d6a541e977b5287a73fbb5002998f095d8e7 100644
--- a/doc/reference.texi
+++ b/doc/reference.texi
@@ -50,8 +50,6 @@ else.
   [ @code{rate-limit-size} @kbd{integer}@code{;} ]
   [ @code{rate-limit-slip} @kbd{integer}@code{;} ]
   [ @code{max-udp-payload} @kbd{integer}@code{;} ]
-  [ @code{dnssec-enable} ( @code{on} | @code{off} )@code{;} ]
-  [ @code{dnssec-keydir} @kbd{string}@code{;} ]
 @code{@}}
 @end example
 
@@ -75,8 +73,6 @@ else.
 * rate-limit-size::
 * rate-limit-slip::
 * max-udp-payload::
-* dnssec-enable::
-* dnssec-keydir::
 @end menu
 
 @node identity
@@ -275,25 +271,6 @@ Maximum EDNS0 UDP payload size.
 
 Default value: @kbd{4096}
 
-@node dnssec-enable
-@subsubsection dnssec-enable
-@vindex dnssec-enable
-
-Enable DNSSEC signing for all zones.
-
-Default value: @code{on} if @code{dnssec-keydir} is set
-
-@node dnssec-keydir
-@subsubsection dnssec-keydir
-@vindex dnssec-keydir
-
-Location with DNSSEC signing keys.
-
-Default value: not set
-
-@node system Example
-@subsection system Example
-
 @example
 system @{
   identity "Knot DNS @value{VERSION}";
@@ -303,6 +280,7 @@ system @{
   rundir "/var/run/knot";
   workers 16;
   user knot.knot;
+  max-udp-payload 4096;
 @}
 @end example
 
@@ -738,6 +716,7 @@ The @code{zones} statement contains definition of zones served by Knot DNS.
     [ @code{notify-in} @kbd{remote_id} [, @kbd{remote_id}, @dots{} ]@code{;} ]
     [ @code{notify-out} @kbd{remote_id} [, @kbd{remote_id}, @dots{} ]@code{;} ]
     [ @code{update-in} @kbd{remote_id} [, @kbd{remote_id}, @dots{} ]@code{;} ]
+    [ @code{dnssec-keydir} @kbd{string}@code{;} ]
     [ @kbd{zone_options} ]
   @code{@}}
 @code{@}}
@@ -773,7 +752,8 @@ The @code{zones} statement contains definition of zones served by Knot DNS.
 * notify-retries::
 * zonefile-sync::
 * ixfr-fslimit::
-* dnssec-enable/zone::
+* dnssec-enable::
+* dnssec-keydir::
 * signature-lifetime::
 @end menu
 
@@ -879,14 +859,25 @@ are 1 to INT_MAX and default value is 5.
 
 @code{ixfr-fslimit} sets a maximum file size for zone's journal in bytes. Possible values are 1 to INT_MAX, with optional suffixes k, m and G. I.e. @emph{1k}, @emph{1m} and @emph{1G} with default value not being set, meaning that journal file can grow without limitations.
 
-@node dnssec-enable/zone
+@node dnssec-enable
 @subsubsection dnssec-enable
 @vindex dnssec-enable
 
-Enable DNSSEC signing for the zone.
+EXPERIMENTAL: Enable DNSSEC signing for the zone.
 
 Default value: inherited from global value set in @code{zones} section.
 
+@node dnssec-keydir
+@subsubsection dnssec-keydir
+@vindex dnssec-keydir
+
+Location of DNSSEC signing keys.
+
+Default value: not set
+
+@node system Example
+@subsection system Example
+
 @node signature-lifetime
 @subsubsection signature-lifetime
 @vindex signature-lifetime
@@ -911,6 +902,7 @@ zones @{
   notify-retries 5;
   zonefile-sync 1h;
   ixfr-fslimit 1G;
+  dnssec-enable on;
   signature-lifetime 60d;
   example.com @{
     file "samples/example.com.zone";
@@ -920,6 +912,7 @@ zones @{
     notify-timeout 60;
     notify-retries 5;
     zonefile-sync 1h;
+    dnssec-enable off;
     signature-lifetime 30d;
     xfr-in server0;
     xfr-out server0, server1;
diff --git a/man/knot.conf.5.in b/man/knot.conf.5.in
index 2b2b0c294739dbfd1667129ff3a706cd58a5d138..24fb7930ac4a3fac6308a688803651e62346af96 100644
--- a/man/knot.conf.5.in
+++ b/man/knot.conf.5.in
@@ -102,7 +102,8 @@ serves as an example of the configuration for knotc(8) and knotd(8).
   rate-limit-slip 1;
 
   # Maximum EDNS0 UDP payload size
-  # max-udp-payload 4096;
+  # Default value: 4096
+  max-udp-payload 4096;
  }
 
  # Includes can be placed anywhere at any level in the configuration file. The
@@ -255,6 +256,15 @@ serves as an example of the configuration for knotc(8) and knotd(8).
   # f.e. 1k, 100M, 2G
   ixfr-fslimit 1G;
 
+  # Enable DNSSEC online signing (EXPERIMENTAL)
+  # Possible values: on | off;
+  # Default value: off
+  dnssec-enable off;
+
+  # Location of DNSSEC signing keys.
+  # Default value: not set
+  # dnssec-keydir "some-secure-directory";
+
   # Validity period for DNSSEC signatures
   # Possible values: (7200..INT_MAX> (seconds)
   # Default value: 30d (30 days or 2592000 seconds)
@@ -312,6 +322,15 @@ serves as an example of the configuration for knotc(8) and knotd(8).
     # f.e. 1k, 100M, 2G
     ixfr-fslimit 1G;
 
+    # Enable DNSSEC online signing (EXPERIMENTAL)
+    # Possible values: on | off;
+    # Default value: off
+    dnssec-enable off;
+
+    # Location of DNSSEC signing keys.
+    # Default value: not set
+    # dnssec-keydir "some-secure-directory";
+
     # Validity period for DNSSEC signatures
     # Possible values: (7200..INT_MAX> (seconds)
     # Default value: 30d (30 days or 2592000 seconds)
diff --git a/samples/knot.full.conf b/samples/knot.full.conf
index 9675438536e15f4c2a6963047c47400699d6a42d..dd901db596d0ac4768775aedebd26ee12eb0c46c 100644
--- a/samples/knot.full.conf
+++ b/samples/knot.full.conf
@@ -96,7 +96,8 @@ system {
   rate-limit-slip 1;
 
   # Maximum EDNS0 UDP payload size
-  # max-udp-payload 4096;
+  # Default value: 4096
+  max-udp-payload 4096;
 }
 
 # Includes can be placed anywhere at any level in the configuration file. The
@@ -249,6 +250,15 @@ zones {
   # f.e. 1k, 100M, 2G
   ixfr-fslimit 1G;
 
+  # Enable DNSSEC online signing (EXPERIMENTAL)
+  # Possible values: on | off;
+  # Default value: off
+  dnssec-enable off;
+
+  # Location of DNSSEC signing keys.
+  # Default value: not set
+  # dnssec-keydir "some-secure-directory";
+
   # Validity period for DNSSEC signatures
   # Possible values: (7200..INT_MAX> (seconds)
   # Default value: 30d (30 days or 2592000 seconds)
@@ -306,6 +316,11 @@ zones {
     # f.e. 1k, 100M, 2G
     ixfr-fslimit 1G;
 
+    # Enable DNSSEC online signing (EXPERIMENTAL)
+    # Possible values: on | off;
+    # Default value: off
+    dnssec-enable off;
+
     # Validity period for DNSSEC signatures
     # Possible values: (7200..INT_MAX> (seconds)
     # Default value: 30d (30 days or 2592000 seconds)